Thresholds for key performance indicators derived from machine data

ABSTRACT

One or more processing devices access a service definition for a service provided by one or more entities that each produce machine data or about which machine data is generated. The service definition identifies the entities that provide the service and, for each entity, identifying information for locating machine data pertaining to that entity. The processing devices access a key performance indicator (KPI) for the service that is defined by a search query that produces a value derived from the machine data pertaining to the entities identified in the service definition. The value indicates how the service is performing at a point in time or during a period of time and indicates a state of the KPI. A graphical interface is displayed and an indication of at least one threshold, which defines an end of a range of values representing a state of the KPI, for the KPI is received.

RELATED APPLICATION

This application is a continuation of U.S. Nonprovisional applicationSer. No. 14/934,126, filed Nov. 5, 2015, entitled “Thresholds for KeyPerformance Indicators Derived from Machine Data,” which is acontinuation of U.S. Nonprovisional application Ser. No. 14/528,894,filed Oct. 30, 2014, entitled “Thresholds for Key Performance IndicatorsDerived from Machine Data,” issued as U.S. Pat. No. 9,208,463 on Dec. 8,2015, which claims the benefit of U.S. Provisional Patent ApplicationNo. 62/062,104 filed Oct. 9, 2014, entitled “Monitoring Service-LevelPerformance Using Key Performance Indicators Derived from Machine Data,”each and all of which are hereby incorporated by reference in theirentireties for all valid purposes.

TECHNICAL FIELD

The present disclosure relates to monitoring services and, moreparticularly, to monitoring service-level performance using keyperformance indicators derived from machine data.

BACKGROUND

Modern data centers often comprise thousands of hosts that operatecollectively to service requests from even larger numbers of remoteclients. During operation, components of these data centers can producesignificant volumes of machine-generated data. The unstructured natureof much of this data has made it challenging to perform indexing andsearching operations because of the difficulty of applying semanticmeaning to unstructured data. As the number of hosts and clientsassociated with a data center continues to grow, processing largevolumes of machine-generated data in an intelligent manner andeffectively presenting the results of such processing continues to be apriority.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure will be understood more fully from the detaileddescription given below and from the accompanying drawings of variousimplementations of the disclosure.

FIG. 1 illustrates a block diagram of an example of entities providing aservice, in accordance with one or more implementations of the presentdisclosure.

FIG. 2 is a block diagram of one implementation of a service monitoringsystem, in accordance with one or more implementations of the presentdisclosure.

FIG. 3 is a block diagram illustrating an entity definition for anentity, in accordance with one or more implementations of the presentdisclosure.

FIG. 4 is a block diagram illustrating a service definition that relatesone or more entities with a service, in accordance with one or moreimplementations of the present disclosure.

FIG. 5 is a flow diagram of an implementation of a method for creatingone or more key performance indicators for a service, in accordance withone or more implementations of the present disclosure.

FIG. 6 is a flow diagram of an implementation of a method for creatingan entity definition for an entity, in accordance with one or moreimplementations of the present disclosure.

FIG. 7 illustrates an example of a graphical user interface (GUI) forcreating and/or editing entity definition(s) and/or servicedefinition(s), in accordance with one or more implementations of thepresent disclosure.

FIG. 8 illustrates an example of a GUI for creating and/or editingentity definitions, in accordance with one or more implementations ofthe present disclosure.

FIG. 9A illustrates an example of a GUI for creating an entitydefinition, in accordance with one or more implementations of thepresent disclosure.

FIG. 9B illustrates an example of input received via GUI for creating anentity definition, in accordance with one or more implementations of thepresent disclosure.

FIG. 10 illustrates an example of a GUI for creating and/or editingentity definitions, in accordance with one or more implementations ofthe present disclosure.

FIG. 11 is a flow diagram of an implementation of a method for creatinga service definition for a service, in accordance with one or moreimplementations of the present disclosure.

FIG. 12 illustrates an example of a GUI for creating and/or editingservice definitions, in accordance with one or more implementations ofthe present disclosure.

FIG. 13 illustrates an example of a GUI for identifying a service for aservice definition, in accordance with one or more implementations ofthe present disclosure.

FIG. 14 illustrates an example of a GUI for creating a servicedefinition, in accordance with one or more implementations of thepresent disclosure.

FIG. 15 illustrates an example of a GUI for associating one or moreentities with a service by associating one or more entity definitionswith a service definition, in accordance with one or moreimplementations of the present disclosure.

FIG. 16 illustrates an example of a GUI facilitating user input forcreating an entity definition, in accordance with one or moreimplementations of the present disclosure.

FIG. 17 illustrates an example of a GUI indicating one or more entitiesassociated with a service based on input, in accordance with one or moreimplementations of the present disclosure.

FIG. 18 illustrates an example of a GUI for specifying dependencies forthe service, in accordance with one or more implementations of thepresent disclosure.

FIG. 19 is a flow diagram of an implementation of a method for creatingone or more key performance indicators (KPIs) for a service, inaccordance with one or more implementations of the present disclosure.

FIG. 20 is a flow diagram of an implementation of a method for creatinga search query, in accordance with one or more implementations of thepresent disclosure.

FIG. 21 illustrates an example of a GUI for creating a KPI for aservice, in accordance with one or more implementations of the presentdisclosure.

FIG. 22 illustrates an example of a GUI for creating a KPI for aservice, in accordance with one or more implementations of the presentdisclosure.

FIG. 23 illustrates an example of a GUI for receiving input of searchprocessing language for defining a search query for a KPI for a service,in accordance with one or more implementations of the presentdisclosure.

FIG. 24 illustrates an example of a GUI for defining a search query fora KPI using a data model, in accordance with one or more implementationsof the present disclosure.

FIG. 25 illustrates an example of a GUI for facilitating user input forselecting a data model and an object of the data model to use for thesearch query, in accordance with one or more implementations of thepresent disclosure.

FIG. 26 illustrates an example of a GUI for displaying a selectedstatistic, in accordance with one or more implementations of the presentdisclosure.

FIG. 27 illustrates an example of a GUI for editing which entitydefinitions to use for the KPI, in accordance with one or moreimplementations of the present disclosure.

FIG. 28 is a flow diagram of an implementation of a method for definingone or more thresholds for a KPI, in accordance with one or moreimplementations of the present disclosure.

FIGS. 29A-B, illustrate examples of a graphical interface enabling auser to set a threshold for the KPI, in accordance with one or moreimplementations of the present disclosure.

FIG. 30 illustrates an example GUI for enabling a user to set one ormore thresholds for the KPI, in accordance with one or moreimplementations of the present disclosure.

FIG. 31A-C illustrate example GUIs for defining thresholds for a KPI, inaccordance with one or more implementations of the present disclosure.

FIG. 32 is a flow diagram of an implementation of a method forcalculating an aggregate KPI score for a service based on the KPIs forthe service, in accordance with one or more implementations of thepresent disclosure.

FIG. 33A illustrates an example GUI 3300 for assigning a frequency ofmonitoring to a KPI based on user input, in accordance with one or moreimplementations of the present disclosure.

FIG. 33B illustrates an example GUI for defining threshold settings,including state ratings, for a KPI, in accordance with one or moreimplementations of the present disclosure.

FIG. 34 is a flow diagram of an implementation of a method forcalculating a value for an aggregate KPI for the service, in accordancewith one or more implementations of the present disclosure.

FIG. 35 is a flow diagram of an implementation of a method for creatinga service-monitoring dashboard, in accordance with one or moreimplementations of the present disclosure.

FIG. 36A illustrates an example GUI for creating and/or editing aservice-monitoring dashboard, in accordance with one or moreimplementations of the present disclosure.

FIG. 36B illustrates an example GUI for a dashboard-creation graphicalinterface for creating a service-monitoring dashboard, in accordancewith one or more implementations of the present disclosure.

FIG. 37 illustrates an example GUI for a dashboard-creation graphicalinterface including a user selected background image, in accordance withone or more implementations of the present disclosure.

FIG. 38 illustrates an example GUI for displaying of a set of KPIsassociated with a selected service, in accordance with one or moreimplementations of the present disclosure.

FIG. 39 illustrates an example GUI facilitating user input for selectinga location in the dashboard template and style settings for a KPIwidget, and displaying the KPI widget in the dashboard template, inaccordance with one or more implementations of the present disclosure.

FIG. 40 illustrates an example Noel gauge widget, in accordance with oneor more implementations of the present disclosure.

FIG. 41 illustrates an example single value widget, in accordance withone or more implementations of the present disclosure.

FIG. 42 illustrates an example GUI illustrating a search query and asearch result for a Noel gauge widget, a single value widget, and atrend indicator widget, in accordance with one or more implementationsof the present disclosure.

FIG. 43 illustrates an example GUI portion of a service-monitoringdashboard for facilitating user input specifying a time range to usewhen executing a search query defining a KPI, in accordance with one ormore implementations of the present disclosure.

FIG. 44 illustrates spark line widget, in accordance with one or moreimplementations of the present disclosure.

FIG. 45 illustrates an example GUI illustrating a search query andsearch results for a spark line widget, in accordance with one or moreimplementations of the present disclosure.

FIG. 46 illustrates a trend indicator widget, in accordance with one ormore implementations of the present disclosure.

FIG. 47A is a flow diagram of an implementation of a method for creatingand causing for display a service-monitoring dashboard, in accordancewith one or more implementations of the present disclosure.

FIG. 47B describes an example service-monitoring dashboard GUI, inaccordance with one or more implementations of the present disclosure.

FIG. 48 describes an example home page GUI for service-level monitoring,in accordance with one or more implementations of the presentdisclosure.

FIG. 49 describes an example home page GUI for service-level monitoring,in accordance with one or more implementations of the presentdisclosure.

FIG. 50A is a flow diagram of an implementation of a method for creatinga visual interface displaying graphical visualizations of KPI valuesalong time-based graph lanes, in accordance with one or moreimplementations of the present disclosure.

FIG. 50B is a flow diagram of an implementation of a method forgenerating a graphical visualization of KPI values along a time-basedgraph lane, in accordance with one or more implementations of thepresent disclosure.

FIG. 51 illustrates an example of a graphical user interface (GUI) forcreating a visual interface displaying graphical visualizations of KPIvalues along time-based graph lanes, in accordance with one or moreimplementations of the present disclosure.

FIG. 52 illustrates an example of a GUI for adding a graphicalvisualization of KPI values along a time-based graph lane to a visualinterface, in accordance with one or more implementations of the presentdisclosure.

FIG. 53 illustrates an example of a visual interface with time-basedgraph lanes for displaying graphical visualizations, in accordance withone or more implementations of the present disclosure.

FIG. 54 illustrates an example of a visual interface displayinggraphical visualizations of KPI values along time-based graph lanes, inaccordance with one or more implementations of the present disclosure.

FIG. 55A illustrates an example of a visual interface with a usermanipulable visual indicator spanning across the time-based graph lanes,in accordance with one or more implementations of the presentdisclosure.

FIG. 55B is a flow diagram of an implementation of a method forinspecting graphical visualizations of KPI values along a time-basedgraph lane, in accordance with one or more implementations of thepresent disclosure.

FIG. 56 illustrates an example of a visual interface displayinggraphical visualizations of KPI values along time-based graph lanes withoptions for editing the graphical visualizations, in accordance with oneor more implementations of the present disclosure.

FIG. 57 illustrates an example of a GUI for editing a graphicalvisualization of KPI values along a time-based graph lane in a visualinterface, in accordance with one or more implementations of the presentdisclosure.

FIG. 58 illustrates an example of a GUI for editing a graph style of agraphical visualization of KPI values along a time-based graph lane in avisual interface, in accordance with one or more implementations of thepresent disclosure.

FIG. 59 illustrates an example of a GUI for selecting the KPIcorresponding to a graphical visualization along a time-based graph lanein a visual interface, in accordance with one or more implementations ofthe present disclosure.

FIG. 60 illustrates an example of a GUI for selecting a data modelcorresponding to a graphical visualization along a time-based graph lanein a visual interface, in accordance with one or more implementations ofthe present disclosure.

FIG. 61 illustrates an example of a GUI for selecting a data modelcorresponding to a graphical visualization along a time-based graph lanein a visual interface, in accordance with one or more implementations ofthe present disclosure.

FIG. 62 illustrates an example of a GUI for editing an aggregationoperation for a data model corresponding to a graphical visualizationalong a time-based graph lane in a visual interface, in accordance withone or more implementations of the present disclosure.

FIG. 63 illustrates an example of a GUI for selecting a time range thatgraphical visualizations along a time-based graph lane in a visualinterface should cover, in accordance with one or more implementationsof the present disclosure.

FIG. 64A illustrates an example of a visual interface for selecting asubset of a time range that graphical visualizations along a time-basedgraph lane in a visual interface cover, in accordance with one or moreimplementations of the present disclosure.

FIG. 64B is a flow diagram of an implementation of a method forenhancing a view of a subset a subset of a time range for a time-basedgraph lane, in accordance with one or more implementations of thepresent disclosure.

FIG. 65 illustrates an example of a visual interface displayinggraphical visualizations of KPI values along time-based graph lanes fora selected subset of a time range, in accordance with one or moreimplementations of the present disclosure.

FIG. 66 illustrates an example of a visual interface displaying twingraphical visualizations of KPI values along time-based graph lanes fordifferent periods of time, in accordance with one or moreimplementations of the present disclosure.

FIG. 67 illustrates an example of a visual interface with a usermanipulable visual indicator spanning across twin graphicalvisualizations of KPI values along time-based graph lanes for differentperiods of time, in accordance with one or more implementations of thepresent disclosure.

FIG. 68 illustrates an example of a visual interface displaying a graphlane with inventory information for a service or entities reflected byKPI values, in accordance with one or more implementations of thepresent disclosure.

FIG. 69 illustrates an example of a visual interface displaying a graphlane with notable events occurring during a timer period covered bygraphical visualization of KPI values, in accordance with one or moreimplementations of the present disclosure.

FIG. 70 illustrates an example of a visual interface displaying a graphlane with notable events occurring during a timer period covered bygraphical visualization of KPI values, in accordance with one or moreimplementations of the present disclosure.

FIG. 71 presents a block diagram of an event-processing system inaccordance with one or more implementations of the present disclosure.

FIG. 72 presents a flowchart illustrating how indexers process, index,and store data received from forwarders in accordance with one or moreimplementations of the present disclosure.

FIG. 73 presents a flowchart illustrating how a search head and indexersperform a search query in accordance with one or more implementations ofthe present disclosure.

FIG. 74A presents a block diagram of a system for processing searchrequests that uses extraction rules for field values in accordance withone or more implementations of the present disclosure.

FIG. 74B illustrates an example data model structure, in accordance withsome implementations of the present disclosure.

FIG. 74C illustrates an example definition of a root object of a datamodel, in accordance with some implementations.

FIG. 74D illustrates example definitions and of child objects, inaccordance with some implementations.

FIG. 75 illustrates an exemplary search query received from a client andexecuted by search peers in accordance with one or more implementationsof the present disclosure.

FIG. 76A illustrates a search screen in accordance with one or moreimplementations of the present disclosure.

FIG. 76B illustrates a data summary dialog that enables a user to selectvarious data sources in accordance with one or more implementations ofthe present disclosure.

FIG. 77A illustrates a key indicators view in accordance with one ormore implementations of the present disclosure.

FIG. 77B illustrates an incident review dashboard in accordance with oneor more implementations of the present disclosure.

FIG. 77C illustrates a proactive monitoring tree in accordance with oneor more implementations of the present disclosure.

FIG. 77D illustrates a screen displaying both log data and performancedata in accordance with one or more implementations of the presentdisclosure.

FIG. 78 depicts a block diagram of an example computing device operatingin accordance with one or more implementations of the presentdisclosure.

DETAILED DESCRIPTION

Overview

The present disclosure is directed to monitoring performance of a systemat a service level using key performance indicators derived from machinedata. Implementations of the present disclosure provide users withinsight to the performance of monitored services, such as, servicespertaining to an information technology (IT) environment. For example,one or more users may wish to monitor the performance of a web hostingservice, which provides hosted web content to end users via network.

A service can be provided by one or more entities. An entity thatprovides a service can be associated with machine data. As described ingreater detail below, the machine data pertaining to a particular entitymay use different formats and/or different aliases for the entity.

Implementations of the present disclosure are described for normalizingthe different aliases and/or formats of machine data pertaining to thesame entity. In particular, an entity definition can be created for arespective entity. The entity definition can normalize various machinedata pertaining to a particular entity, thus simplifying the use ofheterogeneous machine data for monitoring a service.

Implementations of the present disclosure are described for specifyingwhich entities, and thus, which heterogeneous machine data, to use formonitoring a service. In one implementation, a service definition iscreated for a service that is to be monitored. The service definitionspecifies one or more entity definitions, where each entity definitioncorresponds to a respective entity providing the service. The servicedefinition provides users with flexibility in associating entities withservices. The service definition further provides users with the abilityto define relationships between entities and services at the machinedata level. Implementations of the present disclosure enable end-usersto monitor services from a top-down perspective and can provide richvisualization to troubleshoot any service-related issues.Implementations of the present disclosure enable end-users to understandan environment (e.g., IT environment) and the services in theenvironment. For example, end-users can understand and monitor servicesat a business service level, application tier level, etc.

Implementations of the present disclosure are described for monitoring aservice at a granular level. For example, one or more aspects of aservice can be monitored using one or more key performance indicatorsfor the service. A performance indicator or key performance indicator(KPI) is a type of performance measurement. For example, users may wishto monitor the CPU (central processing unit) usage of a web hostingservice, the memory usage of the web hosting service, and the requestresponse time for the web hosting service. In one implementation, aseparate KPI can be created for each of these aspects of the servicethat indicates how the corresponding aspect is performing.

Implementations of the present disclosure give users freedom to decidewhich aspects to monitor for a service and which heterogeneous machinedata to use for a particular KPI. In particular, one or more KPIs can becreated for a service. Each KPI can be defined by a search query thatproduces a value derived from the machine data identified in the entitydefinitions specified in the service definition. Each value can beindicative of how a particular aspect of the service is performing at apoint in time or during a period of time. Implementations of the presentdisclosure enable users to decide what value should be produced by thesearch query defining the KPI. For example, a user may wish that therequest response time be monitored as the average response time over aperiod of time.

Implementations of the present disclosure are described for customizingvarious states that a KPI can be in. For example, a user may define aNormal state, a Warning state, and a Critical state for a KPI, and thevalue produced by the search query of the KPI can indicate the currentstate of the KPI. In one implementation, one or more thresholds arecreated for each KPI. Each threshold defines an end of a range of valuesthat represent a particular state of the KPI. A graphical interface canbe provided to facilitate user input for creating one or more thresholdsfor each KPI, naming the states for the KPI, and associating a visualindicator (e.g., color, pattern) to represent a respective state.

Implementations of the present disclosure are described for monitoring aservice at a more abstract level, as well. In particular, an aggregateKPI can be configured and calculated for a service to represent theoverall health of a service. For example, a service may have 10 KPIs,each monitoring a various aspect of the service. The service may have 7KPIs in a Normal state, 2 KPIs in a Warning state, and 1 KPI in aCritical state. The aggregate KPI can be a value representative of theoverall performance of the service based on the values for theindividual KPIs. Implementations of the present disclosure allowindividual KPIs of a service to be weighted in terms of how important aparticular KPI is to the service relative to the other KPIs in theservice, thus giving users control of how to represent the overallperformance of a service and control in providing a more accuraterepresentation of the performance of the service. In addition, specificactions can be defined that are to be taken when the aggregate KPIindicating the overall health of a service, for example, exceeds aparticular threshold.

Implementations of the present disclosure are described for creatingnotable events and/or alarms via distribution thresholding. In oneimplementation, a correlation search is created and used to generatenotable event(s) and/or alarm(s). A correlation search can be created todetermine the status of a set of KPIs for a service over a definedwindow of time. A correlation search represents a search query that hasa triggering condition and one or more actions that correspond to thetrigger condition. Thresholds can be set on the distribution of thestate of each individual KPI and if the distribution thresholds areexceeded then an alert/alarm can be generated.

Implementations of the present disclosure are described for providing aservice-monitoring dashboard that displays one or more KPI widgets. EachKPI widget can provide a numerical or graphical representation of one ormore values for a corresponding KPI or service health score (aggregateKPI for a service) indicating how a service or an aspect of a service isperforming at one or more points in time. Users can be provided with theability to design and draw the service-monitoring dashboard and tocustomize each of the KPI widgets. A dashboard-creation graphicalinterface can be provided to define a service-monitoring dashboard basedon user input allowing different users to each create a customizedservice-monitoring dashboard. Users can select an image for theservice-monitoring dashboard (e.g., image for the background of aservice-monitoring dashboard, image for an entity and/or service forservice-monitoring dashboard), draw a flow chart or a representation ofan environment (e.g., IT environment), specify which KPIs to include inthe service-monitoring dashboard, configure a KPI widget for eachspecified KPI, and add one or more adhoc KPI searches to theservice-monitoring dashboard. Implementations of the present disclosureprovide users with service monitoring information that can becontinuously and/or periodically updated. Each service-monitoringdashboard can provide a service-level perspective of how one or moreservices are performing to help users make operating decisions and/orfurther evaluate the performance of one or more services.

Implementations are described for a visual interface that displaystime-based graphical visualizations that each corresponds to a differentKPI reflecting how a service provided by one or more entities isperforming. This visual interface may be referred to as a “deep dive.”As described herein, machine data pertaining to one or more entitiesthat provide a given service can be presented and viewed in a number ofways. The deep dive visual interface allows an in-depth look at KPI datathat reflects how a service or entity is performing over a certainperiod of time. By having multiple graphical visualizations, eachrepresenting a different service or a different aspect of the sameservice, the deep dive visual interface allows a user to visuallycorrelate the respective KPIs over a defined period of time. In oneimplementation, the graphical visualizations are all calibrated to thesame time scale, so that the values of different KPIs can be compared atany given point in time. In one implementation, the graphicalvisualizations are all calibrated to different time scales. Althougheach graphical visualization is displayed in the same visual interface,one or more of the graphical visualizations may have a different timescale than the other graphical visualizations. The different time scalemay be more appropriate for the underlying KPI data associated with theone or more graphical visualizations. In one implementation, thegraphical visualizations are displayed in parallel lanes, whichsimplifies visual correlation and allows a user to relate theperformance of one service or one aspect of the service (as representedby the KPI values) to the performance of one or more additional servicesor one or more additional aspects of the same service.

FIG. 1 illustrates a block diagram of an example service provided byentities, in accordance with one or more implementations of the presentdisclosure. One or more entities 104A,104B provide service 102. Anentity 104A,104B can be a component in an IT environment. Examples of anentity can include, and are not limited to a host machine, a virtualmachine, a switch, a firewall, a router, a sensor, etc. For example, theservice 102 may be a web hosting service, and the entities 104A,104B maybe web servers running on one or more host machines to provide the webhosting service. In another example, an entity could represent a singleprocess on different (physical or virtual) machines. In another example,an entity could represent communication between two different machines.

The service 102 can be monitored using one or more KPIs 106 for theservice. A KPI is a type of performance measurement. One or more KPIscan be defined for a service. In the illustrated example, three KPIs106A-C are defined for service 102. KPI 106A may be a measurement of CPU(central processing unit) usage for the service 102. KPI 106B may be ameasurement of memory usage for the service 102. KPI 106C may be ameasurement of request response time for the service 102.

In one implementation, KPI 106A-C is derived based on machine datapertaining to entities 104A and 104B that provide the service 102 thatis associated with the KPI 106A-C. In another implementation, KPI 106A-Cis derived based on machine data pertaining to entities other thanand/or in addition to entities 104A and 104B. In another implementation,input (e.g., user input) may be received that defines a custom query,which does not use entity filtering, and is treated as a KPI, Machinedata pertaining to a specific entity can be machine data produced bythat entity or machine data about that entity, which is produced byanother entity. For example, machine data pertaining to entity 104A canbe derived from different sources that may be hosted by entity 104Aand/or some other entity or entities.

A source of machine data can include, for example, a softwareapplication, a module, an operating system, a script, an applicationprogramming interface, etc. For example, machine data 110B may be logdata that is produced by the operating system of entity 104A. In anotherexample, machine data 110C may be produced by a script that is executingon entity 104A. In yet another example, machine data 110A may be aboutan entity 104A and produced by a software application 120A that ishosted by another entity to monitor the performance of the entity 104Athrough an application programming interface (API).

For example, entity 104A may be a virtual machine and softwareapplication 120A may be executing outside of the virtual machine (e.g.,on a hypervisor or a host operating system) to monitor the performanceof the virtual machine via an API. The API can generate network packetdata including performance measurements for the virtual machine, suchas, memory utilization, CPU usage, etc.

Similarly, machine data pertaining to entity 104B may include, forexample, machine data 110D, such as log data produced by the operatingsystem of entity 104B, and machine data 110E, such as network packetsincluding http responses generated by a web server hosted by entity104B.

Implementations of the present disclosure provide for an associationbetween an entity (e.g., a physical machine) and machine data pertainingto that entity (e.g., machine data produced by different sources hostedby the entity or machine data about the entity that may be produced bysources hosted by some other entity or entities). The association may beprovided via an entity definition that identifies machine data fromdifferent sources and links the identified machine data with the actualentity to which the machine data pertains, as will be discussed in moredetail below in conjunction with FIG. 3 and FIGS. 6-10. Entities thatare part of a particular service can be further grouped via a servicedefinition that specifies entity definitions of the entities providingthe service, as will be discussed in more detail below in conjunctionwith FIGS. 11-31.

In the illustrated example, an entity definition for entity 104A canassociate machine data 110A, 110B and 110C with entity 104A, an entitydefinition for entity 104B can associate machine data 110D and 110E withentity 104B, and a service definition for service 102 can group entities104A and 104B together, thereby defining a pool of machine data that canbe operated on to produce KPIs 106A, 106B and 106C for the service 102.In particular, each KPI 106A, 106B, 106C of the service 102 can bedefined by a search query that produces a value 108A,108B,108C derivedfrom the machine data 110A-E. As will be discussed in more detail below,according to one implementation, the machine data 110A-E is identifiedin entity definitions of entities 104A and 104B, and the entitydefinitions are specified in a service definition of service 102 forwhich values 108A-C are produced to indicate how the service 102 isperforming at a point in time or during a period of time. For example,KPI 106A can be defined by a search query that produces value 108Aindicating how the service 102 is performing with respect to CPU usage.KPI 106B can be defined by a different search query that produces value108B indicating how the service 102 is performing with respect to memoryusage. KPI 106C can be defined by yet another search query that producesvalue 108C indicating how the service 102 is performing with respect torequest response time.

The values 108A-C for the KPIs can be produced by executing the searchquery of the respective KPI. In one example, the search query defining aKPI 106A-C can be executed upon receiving a request (e.g., userrequest). For example, a service-monitoring dashboard, which isdescribed in greater detail below in conjunction with FIG. 35, candisplay KPI widgets providing a numerical or graphical representation ofthe value 108 for a respective KPI 106. A user may request theservice-monitoring dashboard to be displayed at a point in time, and thesearch queries for the KPIs 106 can be executed in response to therequest to produce the value 108 for the respective KPI 106. Theproduced values 108 can be displayed in the service-monitoringdashboard.

In another example, the search query defining a KPI 106A-C can beexecuted in real-time (continuous execution until interrupted). Forexample, a user may request the service-monitoring dashboard to bedisplayed, and the search queries for the KPIs 106 can be executed inresponse to the request to produce the value 108 for the respective KPI106. The produced values 108 can be displayed in the service-monitoringdashboard. The search queries for the KPIs 106 can be continuouslyexecuted until interrupted and the values for the search queries can berefreshed in the service-monitoring dashboard with each execution.Examples of interruption can include changing graphical interfaces,stopping execution of a program, etc.

In another example, the search query defining a KPI 106 can be executedbased on a schedule. For example, the search query for a KPI (e.g., KPI106A) can be executed at one or more particular times (e.g., 6:00 am,12:00 pm, 6:00 pm, etc.) and/or based on a period of time (e.g., every 5minutes). In one example, the values (e.g., values 108A) produced by asearch query for a KPI (e.g., KPI 106A) by executing the search query ona schedule are stored in a data store, and are used to calculate anaggregate KPI score for a service (e.g., service 102), as described ingreater detail below in conjunction with FIGS. 32-33. An aggregate KPIscore for the service 102 is indicative of an overall performance of theKPIs 106 of the service.

In one implementation, the machine data (e.g., machine data 110A-E) usedby a search query defining a KPI (e.g., KPI 106A) to produce a value canbe based on a time range. The time range can be a user-defined timerange or a default time range. For example, in the service-monitoringdashboard example above, a user can select, via the service-monitoringdashboard, a time range to use to further specify, for example, based ontime-stamps, which machine data should be used by a search querydefining a KPI. For example, the time range can be defined as “Last 15minutes,” which would represent an aggregation period for producing thevalue. In other words, if the query is executed periodically (e.g.,every 5 minutes), the value resulting from each execution can be basedon the last 15 minutes on a rolling basis, and the value resulting fromeach execution can be, for example, the maximum value during acorresponding 15-minute time range, the minimum value during thecorresponding 15-minute time range, an average value for thecorresponding 15-minute time range, etc.

In another implementation, the time range is a selected (e.g.,user-selected) point in time and the definition of an individual KPI canspecify the aggregation period for the respective KPI. By including theaggregation period for an individual KPI as part of the definition ofthe respective KPI, multiple KPIs can run on different aggregationperiods, which can more accurately represent certain types ofaggregations, such as, distinct counts and sums, improving the utilityof defined thresholds. In this manner, the value of each KPI can bedisplayed at a given point in time. In one example, a user may alsoselect “real time” as the point in time to produce the most up to datevalue for each KPI using its respective individually defined aggregationperiod.

An event-processing system can process a search query that defines a KPIof a service. An event-processing system can aggregate heterogeneousmachine-generated data (machine data) received from various sources(e.g., servers, databases, applications, networks, etc.) and optionallyprovide filtering such that data is only represented where it pertainsto the entities providing the service. In one example, a KPI may bedefined by a user-defined custom query that does not use entityfiltering. The aggregated machine data can be processed and representedas events. An event can be represented by a data structure that isassociated with a certain point in time and comprises a portion of rawmachine data (i.e., machine data). Events are described in greaterdetail below in conjunction with FIG. 72. The event-processing systemcan be configured to perform real-time indexing of the machine data andto execute real-time, scheduled, or historic searches on the sourcedata. An exemplary event-processing system is described in greaterdetail below in conjunction with FIG. 71.

Example Service Monitoring System

FIG. 2 is a block diagram 200 of one implementation of a servicemonitoring system 210 for monitoring performance of one or more servicesusing key performance indicators derived from machine data, inaccordance with one or more implementations of the present disclosure.The service monitoring system 210 can be hosted by one or more computingmachines and can include components for monitoring performance of one ormore services. The components can include, for example, an entity module220, a service module 230, a key performance indicator module 240, auser interface (UI) module 250, a dashboard module 260, a deep divemodule 270, and a home page module 280. The components can be combinedtogether or separated in further components, according to a particularembodiment. The components and/or combinations of components can behosted on a single computing machine and/or multiple computing machines.The components and/or combinations of components can be hosted on one ormore client computing machines and/or server computing machines.

The entity module 220 can create entity definitions. “Create”hereinafter includes “edit” throughout this document. An entitydefinition is a data structure that associates an entity (e.g., entity104A in FIG. 1) with machine data (e.g., machine data 110A-C in FIG. 1).The entity module 220 can determine associations between machine dataand entities, and can create an entity definition that associates anindividual entity with machine data produced by different sources hostedby that entity and/or other entity(ies). In one implementation, theentity module 220 automatically identifies the entities in anenvironment (e.g., IT environment), automatically determines, for eachentity, which machine data is associated with that particular entity,and automatically generates an entity definition for each entity. Inanother implementation, the entity module 220 receives input (e.g., userinput) for creating an entity definition for an entity, as will bediscussed in greater detail below in conjunction with FIGS. 5-10.

FIG. 3 is a block diagram 300 illustrating an entity definition for anentity, in accordance with one or more implementations of the presentdisclosure. The entity module 220 can create entity definition 350 thatassociates an entity 304 with machine data (e.g., machine data 310A,machine data 310B, machine data 310C) pertaining to that entity 304.Machine data that pertains to a particular entity can be produced bydifferent sources 315 and may be produced in different data formats 330.For example, the entity 304 may be a host machine that is executing aserver application 334 that produces machine data 310B (e.g., log data).The entity 304 may also host a script 336, which when executed, producesmachine data 310C. A software application 330, which is hosted by adifferent entity (not shown), can monitor the entity 304 and use an API333 to produce machine data 310A about the entity 304.

Each of the machine data 310A-C can include an alias that references theentity 304. At least some of the aliases for the particular entity 304may be different from each other. For example, the alias for entity 304in machine data 310A may be an identifier (ID) number 315, the alias forentity 304 in machine data 310B may be a hostname 317, and the alias forentity 304 in machine data 310C may be an IP (internet protocol) address319.

The entity module 220 can receive input for an identifying name 360 forthe entity 304 and can include the identifying name 360 in the entitydefinition 350. The identifying name 360 can be defined from input(e.g., user input). For example, the entity 304 may be a web server andthe entity module 220 may receive input specifyingwebserver01.splunk.com as the identifying name 360. The identifying name360 can be used to normalize the different aliases of the entity 304from the machine data 310A-C to a single identifier.

A KPI, for example, for monitoring CPU usage for a service provided bythe entity 304, can be defined by a search query directed to searchmachine data 310A-C based a service definition, which is described ingreater detail below in conjunction with FIG. 4, associating the entitydefinition 350 with the KPI, the entity definition 350 associating theentity 304 with the identifying name 360, and associating theidentifying name 360 (e.g., webserver01.splunk.com) with the variousaliases (e.g., ID number 315, hostname 317, and IP address 319).

Referring to FIG. 2, the service module 230 can create servicedefinitions for services. A service definition is a data structure thatassociates one or more entities with a service. The service module 230can receive input (e.g., user input) of a title and/or description for aservice definition. FIG. 4 is a block diagram illustrating a servicedefinition that associates one or more entities with a service, inaccordance with one or more implementations of the present disclosure.In another implementation, a service definition specifies one or moreother services which a service depends upon and does not associate anyentities with the service, as described in greater detail below inconjunction with FIG. 18. In another implementation, a servicedefinition specifies a service as a collection of one or more otherservices and one or more entities.

In one example, a service 402 is provided by one or more entities404A-N. For example, entities 404A-N may be web servers that provide theservice 402 (e.g., web hosting service). In another example, a service402 may be a database service that provides database data to otherservices (e.g., analytical services). The entities 404A-N, whichprovides the database service, may be database servers.

The service module 230 can include an entity definition 450A-450N, for acorresponding entity 404A-N that provides the service 402, in theservice definition 460 for the service 402. The service module 230 canreceive input (e.g., user input) identifying one or more entitydefinitions to include in a service definition.

The service module 230 can include dependencies 470 in the servicedefinition 460. The dependencies 470 indicate one or more other servicesfor which the service 402 is dependent upon. For example, another set ofentities (e.g., host machines) may define a testing environment thatprovides a sandbox service for isolating and testing untestedprogramming code changes. In another example, a specific set of entities(e.g., host machines) may define a revision control system that providesa revision control service to a development organization. In yet anotherexample, a set of entities (e.g., switches, firewall systems, androuters) may define a network that provides a networking service. Thesandbox service can depend on the revision control service and thenetworking service. The revision control service can depend on thenetworking service. If the service 402 is the sandbox service and theservice definition 460 is for the sandbox service 402, the dependencies470 can include the revision control service and the networking service.The service module 230 can receive input specifying the other service(s)for which the service 402 is dependent on and can include thedependencies 470 between the services in the service definition 460. Inone implementation, the service associated defined by the servicedefinition 460 may be designated as a dependency for another service,and the service definition 460 can include information indicating theother services which depend on the service described by the servicedefinition 460.

Referring to FIG. 2, the KPI module 240 can create one or more KPIs fora service and include the KPIs in the service definition. For example,in FIG. 4, various aspects (e.g., CPU usage, memory usage, responsetime, etc.) of the service 402 can be monitored using respective KPIs.The KPI module 240 can receive input (e.g., user input) defining a KPIfor each aspect of the service 402 to be monitored and include the KPIs(e.g., KPIs 406A-406N) in the service definition 460 for the service402. Each KPI can be defined by a search query that can produce a value.For example, the KPI 406A can be defined by a search query that producesvalue 408A, and the KPI 406N can be defined by a search query thatproduces value 408N.

The KPI module 240 can receive input specifying the search processinglanguage for the search query defining the KPI. The input can include asearch string defining the search query and/or selection of a data modelto define the search query. Data models are described in greater detailbelow in conjunction with FIGS. 74B-D. The search query can produce, fora corresponding KPI, value 408A-N derived from machine data that isidentified in the entity definitions 450A-N that are identified in theservice definition 460.

The KPI module 240 can receive input to define one or more thresholdsfor one or more KPIs. For example, the KPI module 240 can receive inputdefining one or more thresholds 410A for KPI 406A and input defining oneor more thresholds 410N for KPI 406N. Each threshold defines an end of arange of values representing a certain state for the KPI. Multiplestates can be defined for the KPI (e.g., unknown state, trivial state,informational state, normal state, warning state, error state, andcritical state), and the current state of the KPI depends on which rangethe value, which is produced by the search query defining the KPI, fallsinto. The KPI module 240 can include the threshold definition(s) in theKPI definitions. The service module 230 can include the defined KPIs inthe service definition for the service.

The KPI module 240 can calculate an aggregate KPI score 480 for theservice for continuous monitoring of the service. The score 480 can be acalculated value 482 for the aggregate of the KPIs for the service toindicate an overall performance of the service. For example, if theservice has 10 KPIs and if the values produced by the search queries for9 of the 10 KPIs indicate that the corresponding KPI is in a normalstate, then the value 482 for an aggregate KPI may indicate that theoverall performance of the service is satisfactory. Some implementationsof calculating a value for an aggregate KPI for the service arediscussed in greater detail below in conjunction with FIGS. 32-33.

Referring to FIG. 2, the service monitoring system 210 can be coupled toone or more data stores 290. The entity definitions, the servicedefinitions, and the KPI definitions can be stored in the data store(s)290 that are coupled to the service monitoring system 210. The entitydefinitions, the service definitions, and the KPI definitions can bestored in a data store 290 in a key-value store, a configuration file, alookup file, a database, or in metadata fields associated with eventsrepresenting the machine data. A data store 290 can be a persistentstorage that is capable of storing data. A persistent storage can be alocal storage unit or a remote storage unit. Persistent storage can be amagnetic storage unit, optical storage unit, solid state storage unit,electronic storage units (main memory), or similar storage unit.Persistent storage can be a monolithic device or a distributed set ofdevices. A ‘set’, as used herein, refers to any positive whole number ofitems.

The user interface (UI) module 250 can generate graphical interfaces forcreating and/or editing entity definitions for entities, creating and/orediting service definitions for services, defining key performanceindicators (KPIs) for services, setting thresholds for the KPIs, anddefining aggregate KPI scores for services. The graphical interfaces canbe user interfaces and/or graphical user interfaces (GUIs).

The UI module 250 can cause the display of the graphical interfaces andcan receive input via the graphical interfaces. The entity module 220,service module 230, KPI module 240, dashboard module 260, deep divemodule 270, and home page module 280 can receive input via the graphicalinterfaces generated by the UI module 250. The entity module 220,service module 230, KPI module 240, dashboard module 260, deep divemodule 270, and home page module 280 can provide data to be displayed inthe graphical interfaces to the UI module 250, and the UI module 250 cancause the display of the data in the graphical interfaces.

The dashboard module 260 can create a service-monitoring dashboard. Inone implementation, dashboard module 260 works in connection with UImodule 250 to present a dashboard-creation graphical interface thatincludes a modifiable dashboard template, an interface containingdrawing tools to customize a service-monitoring dashboard to define flowcharts, text and connections between different elements on theservice-monitoring dashboard, a KPI-selection interface and/or serviceselection interface, and a configuration interface for creatingservice-monitoring dashboard. The service-monitoring dashboard displaysone or more KPI widgets. Each KPI widget can provide a numerical orgraphical representation of one or more values for a corresponding KPIindicating how an aspect of a service is performing at one or morepoints in time. Dashboard module 260 can work in connection with UImodule 250 to define the service-monitoring dashboard in response touser input, and to cause display of the service-monitoring dashboardincluding the one or more KPI widgets. The input can be used tocustomize the service-monitoring dashboard. The input can include forexample, selection of one or more images for the service-monitoringdashboard (e.g., a background image for the service-monitoringdashboard, an image to represent an entity and/or service), creation andrepresentation of adhoc search in the form of KPI widgets, selection ofone or more KPIs to represent in the service-monitoring dashboard,selection of a KPI widget for each selected KPI. The input can be storedin the one or more data stores 290 that are coupled to the dashboardmodule 260. In other implementations, some other software or hardwaremodule may perform the actions associated with generating and displayingthe service-monitoring dashboard, although the general functionality andfeatures of the service-monitoring dashboard should remain as describedherein. Some implementations of creating the service-monitoringdashboard and causing display of the service-monitoring dashboard arediscussed in greater detail below in conjunction with FIGS. 35-47.

In one implementation, deep dive module 270 works in connection with UImodule 250 to present a wizard for creation and editing of the deep divevisual interface, to generate the deep dive visual interface in responseto user input, and to cause display of the deep dive visual interfaceincluding the one or more graphical visualizations. The input can bestored in the one or more data stores 290 that are coupled to the deepdive module 270. In other implementations, some other software orhardware module may perform the actions associated with generating anddisplaying the deep dive visual interface, although the generalfunctionality and features of deep dive should remain as describedherein. Some implementations of creating the deep dive visual interfaceand causing display of the deep dive visual interface are discussed ingreater detail below in conjunction with FIGS. 49-70.

The home page module 280 can create a home page graphical interface. Thehome page graphical interface can include one or more tiles, where eachtile represents a service-related alarm, service-monitoring dashboard, adeep dive visual interface, or the value of a particular KPI. In oneimplementation home page module 280 works in connection with UI module250. The UI module 250 can cause the display of the home page graphicalinterface. The home page module 280 can receive input (e.g., user input)to request a service-monitoring dashboard or a deep dive to bedisplayed. The input can include for example, selection of a tilerepresenting a service-monitoring dashboard or a deep dive. In otherimplementations, some other software or hardware module may perform theactions associated with generating and displaying the home pagegraphical interface, although the general functionality and features ofthe home page graphical interface should remain as described herein. Anexample home page graphical interface is discussed in greater detailbelow in conjunction with FIG. 48.

Referring to FIG. 2, the service monitoring system 210 can be coupled toan event processing system 205 via one or more networks. The eventprocessing system 205 can receive a request from the service monitoringsystem 210 to process a search query. For example, the dashboard module260 may receive input request to display a service-monitoring dashboardwith one or more KPI widgets. The dashboard module 260 can request theevent processing system 205 to process a search query for each KPIrepresented by a KPI widget in the service-monitoring dashboard. Someimplementations of an event processing system 205 are discussed ingreater detail below in conjunction with FIG. 71.

The one or more networks can include one or more public networks (e.g.,the Internet), one or more private networks (e.g., a local area network(LAN) or one or more wide area networks (WAN)), one or more wirednetworks (e.g., Ethernet network), one or more wireless networks (e.g.,an 802.11 network or a Wi-Fi network), one or more cellular networks(e.g., a Long Term Evolution (LTE) network), routers, hubs, switches,server computers, and/or a combination thereof.

Key Performance Indicators

FIG. 5 is a flow diagram of an implementation of a method 500 forcreating one or more key performance indicators for a service, inaccordance with one or more implementations of the present disclosure.The method may be performed by processing logic that may comprisehardware (circuitry, dedicated logic, etc.), software (such as is run ona general purpose computer system or a dedicated machine), or acombination of both. In one implementation, at least a portion of methodis performed by a client computing machine. In another implementation,at least a portion of method is performed by a server computing machine.

At block 502, the computing machine creates one or more entitydefinitions, each for a corresponding entity. Each entity definitionassociates an entity with machine data that pertains to that entity. Asdescribed above, various machine data may be associated with aparticular entity, but may use different aliases for identifying thesame entity. The entity definition for an entity normalizes thedifferent aliases of that entity. In one implementation, the computingmachine receives input for creating the entity definition. The input canbe user input. Some implementations of creating an entity definition foran entity from input received via a graphical user interface arediscussed in greater detail below in conjunction with FIGS. 6-10.

In another implementation, the computing machine imports a data file(e.g., CSV (comma-separated values) data file) that includes informationidentifying entities in an environment and uses the data file toautomatically create entity definitions for the entities described inthe data file. The data file may be stored in a data store (e.g., datastore 290 in FIG. 2) that is coupled to the computing machine.

In another implementation, the computing machine automatically (withoutany user input) identifies one or more aliases for an entity in machinedata, and automatically creates an entity definition in response toautomatically identifying the aliases of the entity in the machine data.For example, the computing machine can execute a search query from asaved search to extract data to identify an alias for an entity inmachine data from one or more sources, and automatically create anentity definition for the entity based on the identified aliases. Someimplementations of creating an entity definition from importing a datafile and/or from a saved search are discussed in greater detail below inconjunction with FIG. 16.

At block 504, the computing machine creates a service definition for aservice using the entity definitions of the one or more entities thatprovide the service, according to one implementation. A servicedefinition can relate one or more entities to a service. For example,the service definition can include an entity definition for each of theentities that provide the service. In one implementation, the computingmachine receives input (e.g., user input) for creating the servicedefinition. Some implementations of creating a service definition frominput received via a graphical interface are discussed in more detailbelow in conjunction with FIGS. 11-18. In one implementation, thecomputing machine automatically creates a service definition for aservice. In another example, a service may not directly be provided byone or more entities, and the service definition for the service may notdirectly relate one or more entities to the service. For example, aservice definition for a service may not contain any entity definitionsand may contain information indicating that the service is dependent onone or more other services. A service that is dependent on one or moreother services is described in greater detail below in conjunction withFIG. 18. For example, a business service may not be directly provided byone or more entities and may be dependent on one or more other services.For example, an online store service may depend on an e-commerce serviceprovided by an e-commerce system, a database service, and a networkservice. The online store service can be monitored via the entities ofthe other services (e.g., e-commerce service, database service, andnetwork service) upon which the service depends on.

At block 506, the computing machine creates one or more key performanceindicators (KPIs) corresponding to one or more aspects of the service.An aspect of a service may refer to a certain characteristic of theservice that can be measured at various points in time during theoperation of the service. For example, aspects of a web hosting servicemay include request response time, CPU usage, and memory usage. Each KPIfor the service can be defined by a search query that produces a valuederived from the machine data that is identified in the entitydefinitions included in the service definition for the service. Eachvalue is indicative of how an aspect of the service is performing at apoint in time or during a period of time. In one implementation, thecomputing machine receives input (e.g., user input) for creating theKPI(s) for the service. Some implementations of creating KPI(s) for aservice from input received via a graphical interface will be discussedin greater detail below in conjunction with FIGS. 19-31. In oneimplementation, the computing machine automatically creates one or morekey performance indicators (KPIs) corresponding to one or more aspectsof the service.

FIG. 6 is a flow diagram of an implementation of a method 600 forcreating an entity definition for an entity, in accordance with one ormore implementations of the present disclosure. The method may beperformed by processing logic that may comprise hardware (circuitry,dedicated logic, etc.), software (such as is run on a general purposecomputer system or a dedicated machine), or a combination of both. Inone implementation, at least a portion of method is performed by aclient computing machine. In another implementation, at least a portionof method is performed by a server computing machine.

At block 602, the computing machine receives input of an identifyingname for referencing the entity definition for an entity. The input canbe user input. The user input can be received via a graphical interface.Some implementations of creating an entity definition via input receivedfrom a graphical interface are discussed in greater detail below inconjunction with FIGS. 7-10. The identifying name can be a unique name.

At block 604, the computing machine receives input (e.g., user input)specifying one or more search fields (“fields”) representing the entityin machine data from different sources, to be used to normalizedifferent aliases of the entity. Machine data can be represented asevents. As described above, the computing machine can be coupled to anevent processing system (e.g., event processing system 205 in FIG. 2).The event processing system can process machine data to represent themachine data as events. Each of the events is raw data, and when a latebinding schema is applied to the events, values for fields defined bythe schema are extracted from the events. A number of “default fields”that specify metadata about the events rather than data in the eventsthemselves can be created automatically. For example, such defaultfields can specify: a timestamp for the event data; a host from whichthe event data originated; a source of the event data; and a source typefor the event data. These default fields may be determined automaticallywhen the events are created, indexed or stored. Each event has metadataassociated with the respective event. Implementations of the eventprocessing system processing the machine data to be represented asevents are discussed in greater detail below in conjunction with FIG.71.

At block 606, the computing machine receives input (e.g., user input)specifying one or more search values (“values”) for the fields toestablish associations between the entity and machine data. The valuescan be used to search for the events that have matching values for theabove fields. The entity can be associated with the machine data that isrepresented by the events that have fields that store values that matchthe received input.

The computing machine can optionally also receive input (e.g., userinput) specifying a type of entity to which the entity definitionapplies. The computing machine can optionally also receive input (e.g.,user input) associating the entity of the entity definition with one ormore services. Some implementations of receiving input for an entitytype for an entity definition and associating the entity with one ormore services are discussed in greater detail below in conjunction withFIGS. 9A-B.

FIG. 7 illustrates an example of a GUI 700 of a service monitoringsystem for creating and/or editing entity definition(s) and/or servicedefinition(s), in accordance with one or more implementations of thepresent disclosure. One or more GUIs of the service monitoring systemcan include GUI elements to receive input and to display data. The GUIelements can include, for example, and are not limited to, a text box, abutton, a link, a selection button, a drop down menu, a sliding bar, aselection button, an input field, etc. In one implementation, GUI 700includes a menu item, such as Configure 702, to facilitate the creationof entity definitions and service definitions.

Upon the selection of the Configure 702 menu item, a drop-down menu 704listing configuration options can be displayed. If the user selects theentities option 706 from the drop-down menu 704, a GUI for creating anentity definition can be displayed, as discussed in more detail below inconjunction with FIG. 8. If the user selects the services option 708from the drop-down menu 704, a GUI for creating a service definition canbe displayed, as discussed in more detail below in conjunction with FIG.11.

FIG. 8 illustrates an example of a GUI 800 of a service monitoringsystem for creating and/or editing entity definitions, in accordancewith one or more implementations of the present disclosure. GUI 800 candisplay a list 802 of entity definitions that have already been created.Each entity definition in the list 802 can include a button 804 forrequesting a drop-down menu 810 listing editing options to edit thecorresponding entity definition. Editing can include editing the entitydefinition and/or deleting the entity definition. When an editing optionis selected from the drop-down menu 810, one or more additional GUIs canbe displayed for editing the entity definition. GUI 800 can include animport button 806 for importing a data file (e.g., CSV file) forauto-discovery of entities and automatic generation of entitydefinitions for the discovered entities. The data file can include alist of entities that exist in an environment (e.g., IT environment).The service monitoring system can use the data file to automaticallycreate an entity definition for an entity in the list. In oneimplementation, the service monitoring system uses the data file toautomatically create an entity definition for each entity in the list.GUI 800 can include a button 808 that a user can activate to proceed tothe creation of an entity definition, which leads to GUI 900 of FIG. 9A.The automatic generation of entity definitions for entities is describedin greater detail below in conjunction with FIG. 16.

FIG. 9A illustrates an example of a GUI 900 of a service monitoringsystem for creating an entity definition, in accordance with one or moreimplementations of the present disclosure. GUI 900 can facilitate userinput specifying an identifying name 904 for the entity, an entity type906 for the entity, field(s) 908 and value(s) 910 for the fields 908 touse during the search to find events pertaining to the entity, and anyservices 912 that the entity provides. The entity type 906 can describethe particular entity. For example, the entity may be a host machinethat is executing a webserver application that produces machine data.FIG. 9B illustrates an example of input received via GUI 900 forcreating an entity definition, in accordance with one or moreimplementations of the present disclosure.

For example, the identifying name 904 is webserver01.splunk.com and theentity type 906 is web server. Examples of entity type can include, andare not limited to, host machine, virtual machine, type of server (e.g.,web server, email server, database server, etc.) switch, firewall,router, sensor, etc. The fields 908 that are part of the entitydefinition can be used to normalize the various aliases for the entity.For example, the entity definition specifies three fields 920,922,924and four values 910 (e.g., values 930,932,934,936) to associate theentity with the events that include any of the four values in any of thethree fields.

For example, the event processing system (e.g., event processing system205 in FIG. 2) can apply a late-binding schema to the events to extractvalues for fields (e.g., host field, ip field, and dest field) definedby the schema and determine which events have values that are extractedfor a host field that includes 10.11.12.13, webserver01.splunk.com,webserver01, or vm-0123, determine which events have values that areextracted for an ip field that includes 10.11.12.13,webserver01.splunk.com, webserver01, or vm-0123, or a dest field thatincludes 10.11.12.13, webserver01.splunk.com, webserver01, or vm-0123.The machine data that relates to the events that are produced from thesearch is the machine data that is associated with the entitywebserver01.splunk.com.

In another implementation, the entity definition can specify one or morevalues 910 to use for a specific field 908. For example, the value 930(10.11.12.13) may be used for extracting values for the ip field anddetermine which values match the value 930, and the value 932(webserver01.splunk.com) and the value 936 (vm-0123) may be used forextracting values for the host 920 field and determining which valuesmatch the value 932 or value 936.

In another implementation, GUI 900 includes a list of identifyingfield/value pairs. A search term that is modeled after these entitiescan constructed, such that, when a late-binding schema is applied toevents, values that match the identifiers associated with the fieldsdefined by the schema will be extracted. For example, ifidentifier.fields=“X,Y” then the entity definition should include inputspecifying fields labeled “X” and “Y”. The entity definition should alsoinclude input mapping the fields. For example, the entity definition caninclude the mapping of the fields as “X”:“1”,“Y”:[“2”,“3”]. The eventprocessing system (e.g., event processing system 205 in FIG. 2) canapply a late-binding schema to the events to extract values for fields(e.g., X and Y) defined by the schema and determine which events havevalues extracted for an X field that include “1”, or which events havevalues extracted for a Y field that include “2”, or which events havevalues extracted for a Y field that include “3”.

GUI 900 can facilitate user input specifying any services 912 that theentity provides. The input can specify one or more services that havecorresponding service definitions. For example, if there is a servicedefinition for a service named web hosting service that is provided bythe entity corresponding to the entity definition, then a user canspecify the web hosting service as a service 912 in the entitydefinition.

The save button 916 can be selected to save the entity definition in adata store (e.g., data store 290 in FIG. 2). The saved entity definitioncan be edited. FIG. 10 illustrates an example of a GUI 1000 of a servicemonitoring system for creating and/or editing entity definitions, inaccordance with one or more implementations of the present disclosure.GUI 1000 can display a list 1002 of entity definitions that have alreadybeen created. For example, list 1002 includes the entity definitionwebserver01.splunk.com that can be selected for editing.

FIG. 11 is a flow diagram of an implementation of a method 1100 forcreating a service definition for a service, in accordance with one ormore implementations of the present disclosure. The method may beperformed by processing logic that may comprise hardware (circuitry,dedicated logic, etc.), software (such as is run on a general purposecomputer system or a dedicated machine), or a combination of both. Inone implementation, at least a portion of method is performed by aclient computing machine. In another implementation, at least a portionof method is performed by a server computing machine.

At block 1102, the computing machine receives input of a title forreferencing a service definition for a service. At block 1104, thecomputing machine receives input identifying one or more entitiesproviding the service and associates the identified entities with theservice definition of the service at block 1106.

At block 1108, the computing machine creates one or more key performanceindicators for the service and associates the key performance indicatorswith the service definition of the service at block 1110. Someimplementations of creating one or more key performance indicators arediscussed in greater detail below in conjunction with FIGS. 19-31.

At block 1112, the computing machine receives input identifying one ormore other services which the service is dependent upon and associatesthe identified other services with the service definition of the serviceat block 1114. The computing machine can include an indication in theservice definition that the service is dependent on another service forwhich a service definition has been created.

At block 1116, the computing machine can optionally define an aggregateKPI score to be calculated for the service to indicate an overallperformance of the service. The score can be a value for an aggregate ofthe KPIs for the service. The aggregate KPI score can be periodicallycalculated for continuous monitoring of the service. For example, theaggregate KPI score for a service can be updated in real-time(continuously updated until interrupted). In one implementation, theaggregate KPI score for a service is updated periodically (e.g., everysecond). Some implementations of determining an aggregate KPI score forthe service are discussed in greater detail below in conjunction withFIGS. 32-34.

FIG. 12 illustrates an example of a GUI 1200 of a service monitoringsystem for creating and/or editing service definitions, in accordancewith one or more implementations of the present disclosure. GUI 1200 candisplay a list 1202 of service definitions that have already beencreated. Each service definition in the list 1202 can include a button1204 to proceed to a drop-down menu 1208 listing editing options relatedto the corresponding service definition. Editing options can includeediting the service definition, editing one or more KPIs for theservice, editing a title and/or description of the service description,and/or deleting the service definition. When an editing option isselected from the drop-down menu 1208, one or more other GUIs can bedisplayed for editing the service definition. GUI 1200 can include abutton 1210 to proceed to the creation of a new service definition.

FIG. 13 illustrates an example of a GUI 1300 of a service monitoringsystem for creating a service definition, in accordance with one or moreimplementations of the present disclosure. GUI 1300 can facilitate userinput specifying a title 1302 and optionally a description 1304 for theservice definition for a service. GUI 1300 can include a button 1306 toproceed to GUI 1400 of FIG. 14, for associating entities with theservice, creating KPIs for the service, and indicating dependencies forthe service.

FIG. 14 illustrates an example of a GUI 1400 of a service monitoringsystem for defining elements of a service definition, in accordance withone or more implementations of the present disclosure. GUI 1400 caninclude a accordion pane (accordion section) 1402, which when selected,displays fields for facilitating input for creating and/or editing atitle 1404 of a service definition, and input for a description 1406 ofthe service that corresponds to the service definition. If input for thetitle 1404 and/or description 1406 was previously received, for example,from GUI 1300 in FIG. 13, GUI 1400 can display the title 1404 anddescription 1406.

GUI 1400 can include a drop-down 1410 for receiving input for creatingone or more KPIs for the service. If the drop-down 1410 is selected, GUI1900 in FIG. 19 is displayed as described in greater detail below.

GUI 1400 can include a drop-down 1412 for receiving input for specifyingdependencies for the service. If the drop-down 1412 is selected, GUI1800 in FIG. 18 is displayed as described in greater detail below.

GUI 1400 can include one or more buttons 1408 to specify whetherentities are associated with the service. A selection of “No” 1416indicates that the service is not associated with any entities and theservice definition is not associated with any entity definitions. Forexample, a service may not be associated with any entities if an enduser intends to use the service and corresponding service definition fortesting purposes and/or experimental purposes. In another example, aservice may not be associated with any entities if the service isdependent one or more other services, and the service is being monitoredvia the entities of the one or more other services upon which theservice depends upon. For example, an end user may wish to use a servicewithout entities as a way to track a business service based on theservices which the business service depends upon. If “Yes” 1414 isselected, GUI 1500 in FIG. 15 is displayed as described in greaterdetail below.

FIG. 15 illustrates an example of a GUI 1500 of a service monitoringsystem for associating one or more entities with a service byassociating one or more entity definitions with a service definition, inaccordance with one or more implementations of the present disclosure.GUI 1500 can include a button 1510 for creating a new entity definition.If button 1510 is selected, GUI 1600 in FIG. 16 is displayedfacilitating user input for creating an entity definition.

FIG. 16 illustrates an example of a GUI 1600 facilitating user input forcreating an entity definition, in accordance with one or moreimplementations of the present disclosure. For example, GUI 1600 caninclude multiple fields 1601 for creating an entity definition, asdiscussed above in conjunction with FIG. 6. GUI 1600 can include abutton 1603, which when selected can display one or more UIs (e.g., GUIsor command line interface) for importing a data file for creating anentity definition. The data file can be a CSV (comma-separated values)data file that includes information identifying entities in anenvironment. The data file can be used to automatically create entitydefinitions for the entities described in the data file. GUI 1600 caninclude a button 1605, which when selected can display one or more UIs(e.g., GUIs or command line interface) for using a saved search forcreating an entity definition. For example, the computing machine canexecute a search query from a saved search to extract data to identifyan alias for an entity in machine data from one or more sources, andautomatically create an entity definition for the entity based on theidentified aliases.

Referring to FIG. 15, GUI 1500 can include an availability list 1504 ofentity definitions for entities, which can be selected to be associatedwith the service definition. The availability list 1504 can include oneor more entity definitions. For example, the availability list 1504 mayinclude thousands of entity definitions. GUI 1500 can include a filterbox 1502 to receive input for filtering the availability list 1504 ofentity definitions to display a portion of the entity definitions. Eachentity definition in the availability list 1502 can include the entitydefinition name 1506 and the entity type 1508. GUI 1500 can facilitateuser input for selecting an entity definition from the availability list1504 and dragging the selected entity definition to a selected list 1512to indicate that the entity for the selected entity definition isassociated with service of the service definition. For example, entitydefinition 1514 (e.g., webserver01.splunk.com) can be selected anddragged to the selected list 1512.

FIG. 17 illustrates an example of a GUI 1700 indicating one or moreentities associated with a service based on input, in accordance withone or more implementations of the present disclosure. The selected list1712 can include the entity definition (e.g., webserver01.splunk.com)that was dragged from the availability list 1704. The availability list1704 can remove any selected entity definitions (e.g.,webserver01.splunk.com). The selected list 1712 indicates which entitiesare members of a service via the entity definitions of the entities andservice definition for the service.

FIG. 18 illustrates an example of a GUI 1800 of a service monitoringsystem for specifying dependencies for the service, in accordance withone or more implementations of the present disclosure. GUI 1800 caninclude an availability list 1804 of services that each has acorresponding service definition. The availability list 1804 can includeone or more services. For example, the availability list 1804 mayinclude dozens of services. GUI 1800 can include a filter box 1802 toreceive input for filtering the availability list 1804 of services todisplay a portion of the services. GUI 1800 can facilitate user inputfor selecting a service from the availability list 1804 and dragging theselected service to a dependent services list 1812 to indicate that theservice is dependent on the services in the dependent services list1812. For example, the service definition may be for a Sandbox service.For example, the drop-down 1801 can be selected to display a title“Sandbox” in the service information for the service definition. Theavailability list 1804 may initially include four other services: (1)Revision Control service, (2) Networking service, (3) Web Hostingservice, and (4) Database service. The Sandbox service may depend on theRevision Control service and the Networking service. A user may selectthe Revision Control service and Networking service from theavailability list 1804 and drag the Revision Control service andNetworking service to the dependent services list 1812 to indicate thatthe Sandbox service is dependent on the Revision Control service andNetworking service. In one implementation, GUI 1800 further displays alist of other services which depend on the service described by theservice definition that is being created and/or edited.

Thresholds for Key Performance Indicators

FIG. 19 is a flow diagram of an implementation of a method 1900 forcreating one or more key performance indicators for a service, inaccordance with one or more implementations of the present disclosure.The method may be performed by processing logic that may comprisehardware (circuitry, dedicated logic, etc.), software (such as is run ona general purpose computer system or a dedicated machine), or acombination of both. In one implementation, the method is performed bythe client computing machine. In another implementation, the method isperformed by a server computing machine coupled to the client computingmachine over one or more networks.

At block 1902, the computing machine receives input (e.g., user input)of a name for a KPI to monitor a service or an aspect of the service.For example, a user may wish to monitor the service's response time forrequests, and the name of the KPI may be “Request Response Time.” Inanother example, a user may wish to monitor the load of CPU(s) for theservice, and the name of the KPI may be “CPU Usage.”

At block 1904, the computing machine creates a search query to produce avalue indicative of how the service or the aspect of the service isperforming. For example, the value can indicate how the aspect (e.g.,CPU usage, memory usage, request response time) is performing at pointin time or during a period of time. Some implementations for creating asearch query are discussed in greater detail below in conjunction withFIG. 20. In one implementation, the computing machine receives input(e.g., user input), via a graphical interface, of search processinglanguage defining the search query. Some implementations for creating asearch query from input of search processing language are discussed ingreater detail below in conjunction with FIGS. 22-23. In oneimplementation, the computing machine receives input (e.g., user input)for defining the search query using a data model. Some implementationsfor creating a search query using a data model are discussed in greaterdetail below in conjunction with FIGS. 24-26.

At block 1906, the computing machine sets one or more thresholds for theKPI. Each threshold defines an end of a range of values. Each range ofvalues represents a state for the KPI. The KPI can be in one of thestates (e.g., normal state, warning state, critical state) depending onwhich range the value falls into. Some implementations for setting oneor more thresholds for the KPI are discussed in greater detail below inconjunction with FIGS. 28-31.

FIG. 20 is a flow diagram of an implementation of a method 2000 forcreating a search query, in accordance with one or more implementationsof the present disclosure. The method may be performed by processinglogic that may comprise hardware (circuitry, dedicated logic, etc.),software (such as is run on a general purpose computer system or adedicated machine), or a combination of both. In one implementation, themethod is performed by the client computing machine. In anotherimplementation, the method is performed by a server computing machinecoupled to the client computing machine over one or more networks.

At block 2002, the computing machine receives input (e.g., user input)specifying a field to use to derive a value indicative of theperformance of a service or an aspect of the service to be monitored. Asdescribed above, machine data can be represented as events. Each of theevents is raw data. A late-binding schema can be applied to each of theevents to extract values for fields defined by the schema . The receivedinput can include the name of the field from which to extract a valuewhen executing the search query. For example, the received user inputmay be the field name “spent” that can be used to produce a valueindicating the time spent to respond to a request.

At block 2004, the computing machine optionally receives inputspecifying a statistical function to calculate a statistic using thevalue in the field. In one implementation, a statistic is calculatedusing the value(s) from the field, and the calculated statistic isindicative of how the service or the aspect of the service isperforming. As discussed above, the machine data used by a search queryfor a KPI to produce a value can be based on a time range. For example,the time range can be defined as “Last 15 minutes,” which wouldrepresent an aggregation period for producing the value. In other works,if the query is executed periodically (e.g., every 5 minutes), the valueresulting from each execution can be based on the last 15 minutes on arolling basis, and the value resulting from each execution can be basedon the statistical function. Examples of statistical functions include,and are not limited to, average, count, count of distinct values,maximum, mean, minimum, sum, etc. For example, the value may be from thefield “spent” the time range may be “Last 15 minutes,” and the input mayspecify a statistical function of average to define the search querythat should produce the average of the values of field “spent” for thecorresponding 15 minute time range as a statistic. In another example,the value may be a count of events satisfying the search criteria thatinclude a constraint for the field (e.g., if the field is “responsetime,” and the KPI is focused on measuring the number of slow responses(e.g., “response time” below x) issued by the service).

At block 2006, the computing machine defines the search query based onthe specified field and the statistical function. The computing machinemay also optionally receive input of an alias to use for a result of thesearch query. The alias can be used to have the result of the searchquery to be compared to one or more thresholds assigned to the KPI.

FIG. 21 illustrates an example of a GUI 2100 of a service monitoringsystem for creating a KPI for a service, in accordance with one or moreimplementations of the present disclosure. GUI 2100 can display a list2104 of KPIs that have already been created for the service andassociated with the service via the service definition. For example, theservice definition “Web Hosting” includes a KPI “Storage Capacity” and aKPI “Memory Usage”. GUI 2100 can include a button 2106 for editing aKPI. A KPI in the list 2104 can be selected and the button 2106 can beactivated to edit the selected KPI. GUI 2100 can include a button 2102for creating a new KPI. If button 2102 is activated, GUI 2200 in FIG. 22is displayed facilitating user input for creating a KPI.

FIG. 22 illustrates an example of a GUI 2200 of a service monitoringsystem for creating a KPI for a service, in accordance with one or moreimplementations of the present disclosure. GUI 2200 can facilitate userinput specifying a name 2202 and optionally a description 2204 for a KPIfor a service. The name 2202 can indicate an aspect of the service thatis to be monitored using the KPI. As described above, the KPI is definedby a search query that produces a value derived from machine datapertaining to one or more entities identified in a service definitionfor the service. The produced value is indicative of how an aspect ofthe service is performing. In one example, the produced value is thevalue extracted from a field when the search query is executed. Inanother example, the produced value is a result from calculating astatistic based on the value in the field.

In one implementation, the search query is defined from input (e.g.,user input), received via a graphical interface, of search processinglanguage defining the search query. GUI 2200 can include a button 2206for facilitating user input of search processing language defining thesearch query. If button 2206 is selected, a GUI for facilitating userinput of search processing language defining the search query can bedisplayed, as discussed in greater detail below in conjunction with FIG.23.

Referring to FIG. 22, in another implementation, the search query isdefined using a data model. GUI 2200 can include a button 2208 forfacilitating user input of a data model for defining the search query.If button 2208 is selected, a GUI for facilitating user input fordefining the search query using a data model can be displayed, asdiscussed in greater detail below in conjunction with FIG. 24.

FIG. 23 illustrates an example of a GUI 2300 of a service monitoringsystem for receiving input of search processing language for defining asearch query for a KPI for a service, in accordance with one or moreimplementations of the present disclosure. GUI 2300 can facilitate userinput specifying a KPI name 2301, which can optionally indicate anaspect of the service to monitor with the KPI, and optionally adescription 2302 for a KPI for a service. For example, the aspect of theservice to monitor can be response time for received requests, and theKPI name 2301 can be Request Response Time. GUI 2300 can facilitate userinput specifying search processing language 2303 that defines the searchquery for the Request Response Time KPI. The input for the searchprocessing language 2303 can specify a name of a field (e.g., spent2313) to use to extract a value indicative of the performance of anaspect (e.g., response time) to be monitored for a service. The input ofthe field (e.g., spent 2313) designates which data to extract from anevent when the search query is executed.

The input can optionally specify a statistical function (e.g., avg 2311)that should be used to calculate a statistic based on the valuecorresponding to a late-binding schema being applied to an event. Thelate-binding schema will extract a portion of event data correspondingto the field (e.g., spent 2313). For example, the value associated withthe field “spent” can be extracted from an event by applying alate-binding schema to the event. The input may specify that the averageof the values corresponding to the field “spent” should be produced bythe search query. The input can optionally specify an alias (e.g.,rsp_time 2315) to use (e.g., as a virtual field name) for a result ofthe search query (e.g., avg(spent) 2314). The alias 2315 can be used tohave the result of the search query to be compared with one or morethresholds assigned to the KPI.

GUI 2300 can display a link 2304 to facilitate user input to requestthat the search criteria be tested by running the search query for theKPI. In one implementation, when input is received requesting to testthe search criteria for the search query, a search GUI is displayed.

In some implementations, GUI 2300 can facilitate user input for creatingone or more thresholds for the KPI. The KPI can be in one of multiplestates (e.g., normal, warning, critical). Each state can be representedby a range of values. During a certain time, the KPI can be in one ofthe states depending on which range the value, which is produced at thattime by the search query for the KPI, falls into. GUI 2300 can include abutton 2307 for creating the threshold for the KPI. Each threshold for aKPI defines an end of a range of values, which represents one of thestates. Some implementations for creating one or more thresholds for theKPI are discussed in greater detail below in conjunction with FIGS.28-31.

GUI 2300 can include a button 2309 for editing which entity definitionsto use for the KPI. Some implementations for editing which entitydefinitions to use for the KPI are discussed in greater detail below inconjunction with FIG. 27.

In some implementations, GUI 2300 can include a button 2320 to receiveinput assigning a weight to the KPI to indicate an importance of the KPIfor the service relative to other KPIs defined for the service. Theweight can be used for calculating an aggregate KPI score for theservice to indicate an overall performance for the service, as discussedin greater detail below in conjunction with FIG. 32. GUI 2300 caninclude a button 2323 to receive input to define how often the KPIshould be measured (e.g., how often the search query defining the KPIshould be executed) for calculating an aggregate KPI score for theservice to indicate an overall performance for the service, as discussedin greater detail below in conjunction with FIG. 32. The importance(e.g., weight) of the KPI and the frequency of monitoring (e.g., aschedule for executing the search query) of the KPI can be used todetermine an aggregate KPI score for the service. The score can be avalue of an aggregate of the KPIs of the service. Some implementationsfor using the importance and frequency of monitoring for each KPI todetermine an aggregate KPI score for the service are discussed ingreater detail below in conjunction with FIGS. 32-33.

GUI 2300 can display an input box 2305 for a field to which thethreshold(s) can be applied. In particular, a threshold can be appliedto the value produced by the search query defining the KPI. Applying athreshold to the value produced by the search query is described ingreater detail below in conjunction with FIG. 29.

FIG. 24 illustrates an example of a GUI 2400 of a service monitoringsystem for defining a search query for a KPI using a data model, inaccordance with one or more implementations of the present disclosure.GUI 2400 can facilitate user input specifying a name 2403 and optionallya description 2404 for a KPI for a service. For example, the aspect ofthe service to monitor can be CPU utilization, and the KPI name 2403 canbe CPU Usage. If button 2402 is selected, GUI 2400 displays button 2406and button 2408 for defining the search query for the KPI using a datamodel. A data model refers to one or more objects grouped in ahierarchical manner and can include a root object and, optionally, oneor more child objects that can be linked to the root object. A rootobject can be defined by search criteria for a query to produce acertain set of events, and a set of fields that can be exposed tooperate on those events. Each child object can inherit the searchcriteria of its parent object and can have additional search criteria tofurther filter out events represented by its parent object. Each childobject may also include at least some of the fields of its parent objectand optionally additional fields specific to the child object, as willbe discussed in greater detail below in conjunction with FIGS. 74B-D.

If button 2402 is selected, GUI 2500 in FIG. 25 is displayed forfacilitating user input for selecting a data model to assist withdefining the search query. FIG. 25 illustrates an example of a GUI 2500of a service monitoring system for facilitating user input for selectinga data model and an object of the data model to use for defining thesearch query, in accordance with one or more implementations of thepresent disclosure. GUI 2500 can include a drop-down menu 2503, whichwhen expanded, displays a list of available data models. When a datamodel is selected, GUI 2500 can display a list 2505 of objectspertaining to the selected data model. For example, the data modelPerformance is selected and the objects pertaining to the Performancedata model are included in the list 2505. Objects of a data model aredescribed in greater detail below in conjunction with FIGS. 74B-D. Whenan object in the list 2505 is selected, GUI 2500 can display a list 2511of fields pertaining to the selected object. For example, the CPU object2509 is selected and the fields pertaining to the CPU object 2509 areincluded in the list 2511. GUI 2500 can facilitate user input of aselection of a field in the list 2511. The selected field (e.g.,cpu_load_percent 2513) is the field to use for the search query toderive a value indicative of the performance of an aspect (e.g., CPUusage) of the service. The derived value can be, for example, thefield's value extracted from an event when the search query is executed,a statistic calculated based on one or more values of the field in oneor more events located when the search query is executed, a count ofevents satisfying the search criteria that include a constraint for thefield (e.g., if the field is “response time” and the KPI is focused onmeasuring the number of slow responses (e.g., “response time” below x)issued by the service).

Referring to FIG. 24, GUI 2400 can display a button 2408 for optionallyselecting a statistical function to calculate a statistic using thevalue(s) from the field (e.g., cpu_load_percent 2513). If a statistic iscalculated, the result from calculating the statistic becomes theproduced value from the search query, which indicates how an aspect ofthe service is performing. When button 2408 is selected, GUI 2400 candisplay a drop-down list of statistics. The list of statistics caninclude, and are not limited to, average, count, count of distinctvalues, maximum, mean, minimum, sum, etc. For example, a user may select“average” and the value produced by the search query may be the averageof the values of field cpu_load_percent 2513 for a specified time range(e.g., “Last 15 minutes”). FIG. 26 illustrates an example of a GUI 2600of a service monitoring system for displaying a selected statistic 2601(e.g., average), in accordance with one or more implementations of thepresent disclosure.

Referring to FIG. 24, GUI 2400 can facilitate user input for creatingone or more thresholds for the KPI. GUI 2400 can include a button 2410for creating the threshold(s) for the KPI. Some implementations forcreating one or more thresholds for the KPI are discussed in greaterdetail below in conjunction with FIGS. 28-31.

GUI 2400 can include a button 2412 for editing which entity definitionsto use for the KPI. Some implementations for editing which entitydefinitions to use for the KPI are discussed in greater detail below inconjunction with FIG. 27.

GUI 2400 can include a button 2418 for saving a definition of a KPI andan association of the defined KPI with a service. The KPI definition andassociation with a service can be stored in a data store.

The value for the KPI can be produced by executing the search query ofthe KPI. In one example, the search query defining the KPI can beexecuted upon receiving a request (e.g., user request). For example, aservice-monitoring dashboard, which is described in greater detail belowin conjunction with FIG. 35, can display a KPI widget providing anumerical or graphical representation of the value for the KPI. A usermay request the service-monitoring dashboard to be displayed, and thecomputing machine can cause the search query for the KPI to execute inresponse to the request to produce the value for the KPI. The producedvalue can be displayed in the service-monitoring dashboard

In another example, the search query defining the KPI can be executedbased on a schedule. For example, the search query for a KPI can beexecuted at one or more particular times (e.g., 6:00 am, 12:00 pm, 6:00pm, etc.) and/or based on a period of time (e.g., every 5 minutes). Inone example, the values produced by a search query for a KPI byexecuting the search query on a schedule are stored in a data store, andare used to calculate an aggregate KPI score for a service, as describedin greater detail below in conjunction with FIGS. 32-33. An aggregateKPI score for the service is indicative of an overall performance of theKPIs of the service.

Referring to FIG. 24, GUI 2400 can include a button 2416 to receiveinput specifying a frequency of monitoring (schedule) for determiningthe value produced by the search query of the KPI. The frequency ofmonitoring (e.g., schedule) of the KPI can be used to determine aresolution for an aggregate KPI score for the service. The aggregate KPIscore for the service is indicative of an overall performance of theKPIs of the service. The accuracy of the aggregate KPI score for theservice for a given point in time can be based on the frequency ofmonitoring of the KPI. For example, a higher frequency can providehigher resolution which can help produce a more accurate aggregate KPIscore.

The machine data used by a search query defining a KPI to produce avalue can be based on a time range. The time range can be a user-definedtime range or a default time range. For example, in theservice-monitoring dashboard example above, a user can select, via theservice-monitoring dashboard, a time range to use (e.g., Last 15minutes) to further specify, for example, based on time-stamps, whichmachine data should be used by a search query defining a KPI. In anotherexample, the time range may be to use the machine data since the lasttime the value was produced by the search query. For example, if the KPIis assigned a frequency of monitoring of 5 minutes, then the searchquery can execute every 5 minutes, and for each execution use themachine data for the last 5 minutes relative to the execution time. Inanother implementation, the time range is a selected (e.g.,user-selected) point in time and the definition of an individual KPI canspecify the aggregation period for the respective KPI. By including theaggregation period for an individual KPI as part of the definition ofthe respective KPI, multiple KPIs can run on different aggregationperiods, which can more accurately represent certain types ofaggregations, such as, distinct counts and sums, improving the utilityof defined thresholds. In this manner, the value of each KPI can bedisplayed at a given point in time. In one example, a user may alsoselect “real time” as the point in time to produce the most up to datevalue for each KPI using its respective individually defined aggregationperiod.

GUI 2400 can include a button 2414 to receive input assigning a weightto the KPI to indicate an importance of the KPI for the service relativeto other KPIs defined for the service. The importance (e.g., weight) ofthe KPI can be used to determine an aggregate KPI score for the service,which is indicative of an overall performance of the KPIs of theservice. Some implementations for using the importance and frequency ofmonitoring for each KPI to determine an aggregate KPI score for theservice are discussed in greater detail below in conjunction with FIGS.32-33. FIG. 27 illustrates an example of a GUI 2700 of a servicemonitoring system for editing which entity definitions to use for a KPI,in accordance with one or more implementations of the presentdisclosure. GUI 2700 may be displayed in response to the user activationof button 2412 in GUI 2400 of FIG. 24. GUI 2700 can include a button2710 for creating a new entity definition. If button 2710 is selected,GUI 1600 in FIG. 16 can be displayed and an entity definition can becreated as described above in conjunction with FIG. 6 and FIG. 16.

Referring to FIG. 27, GUI 2700 can display buttons 2701,2703 forreceiving a selection of whether to include all of the entitydefinitions, which are associated with the service via the servicedefinition, for the KPI. If the Yes button 2701 is selected, the searchquery for the KPI can produce a value derived from the machine datapertaining to all of the entities represented by the entity definitionsthat are included in the service definition for the service. If the Nobutton 2703 is selected, a member list 2704 is displayed. The memberlist 2704 includes the entity definitions that are included in theservice definition for the service. GUI 2700 can include a filter box2702 to receive input for filtering the member list 2704 of entitydefinitions to display a subset of the entity definitions.

GUI 2700 can facilitate user input for selecting one or more entitydefinitions from the member list 2704 and dragging the selected entitydefinition(s) to an exclusion list 2712 to indicate that the entitiesidentified in each selected entity definition should not be consideredfor the current KPI. This exclusion means that the search criteria ofthe search query defining the KPI is changed to no longer search formachine data pertaining to the entities identified in the entitydefinitions from the exclusion list 2712. For example, entity definition2705 (e.g., webserver07.splunk.com) can be selected and dragged to theexclusion list 2712. When the search query for the KPI produces a value,the value will be derived from machine data, which does not includemachine data pertaining to webserver07.splunk.com.

FIG. 28 is a flow diagram of an implementation of a method 2800 fordefining one or more thresholds for a KPI, in accordance with one ormore implementations of the present disclosure. The method may beperformed by processing logic that may comprise hardware (circuitry,dedicated logic, etc.), software (such as is run on a general purposecomputer system or a dedicated machine), or a combination of both. Inone implementation, the method is performed by the client computingmachine. In another implementation, the method is performed by a servercomputing machine coupled to the client computing machine over one ormore networks.

At block 2802, the computing machine identifies a service definition fora service. In one implementation, the computing machine receives input(e.g., user input) selecting a service definition. The computing machineaccesses the service definition for a service from memory.

At block 2804, the computing machine identifies a KPI for the service.In one implementation, the computing machine receives input (e.g., userinput) selecting a KPI of the service. The computing machine accessesdata representing the KPI from memory.

At block 2806, the computing machine causes display of one or moregraphical interfaces enabling a user to set a threshold for the KPI. TheKPI can be in one of multiple states. Example states can include, andare not limited to, unknown, trivial state, informational state, normalstate, warning state, error state, and critical state. Each state can berepresented by a range of values. At a certain time, the KPI can be inone of the states depending on which range the value, which is producedby the search query for the KPI, falls into. Each threshold defines anend of a range of values, which represents one of the states. Someexamples of graphical interfaces for enabling a user to set a thresholdfor the KPI are discussed in greater detail below in conjunction withFIG. 29A to FIG. 31C.

At block 2808, the computing machine receives, through the graphicalinterfaces, an indication of how to set the threshold for the KPI. Thecomputing machine can receive input (e.g., user input), via thegraphical interfaces, specifying the field or alias that should be usedfor the threshold(s) for the KPI. The computing machine can also receiveinput (e.g., user input), via the graphical interfaces, of theparameters for each state. The parameters for each state can include,for example, and not limited to, a threshold that defines an end of arange of values for the state, a unique name, and one or more visualindicators to represent the state.

In one implementation, the computing machine receives input (e.g., userinput), via the graphical interfaces, to set a threshold and to applythe threshold to the KPI as determined using the machine data from theaggregate of the entities associated with the KPI.

In another implementation, the computing machine receives input (e.g.,user input), via the graphical interfaces, to set a threshold and toapply the threshold to a KPI as the KPI is determine using machine dataon a per entity basis for the entities associated with the KPI. Forexample, the computing machine can receive a selection (e.g., userselection) to apply thresholds on a per entity basis, and the computingmachine can apply the thresholds to the value of the KPI as the value iscalculated per entity.

For example, the computing machine may receive input (e.g., user input),via the graphical interfaces, to set a threshold of being equal orgreater than 80% for the KPI for Avg CPU Load, and the KPI is associatedwith three entities (e.g., Entity-1, Entity-2, and Entity-3). When theKPI is determined using data for Entity-1, the value for the KPI for AvgCPU Load may be at 50%. When the KPI is determined using data forEntity-2, the value for the KPI for Avg CPU Load may be at 50%. When theKPI is determined using data for Entity-3, the value for the KPI for AvgCPU Load may be at 80%. If the threshold is applied to the values of theaggregate of the entities (two at 50% and one at 80%), the aggregatevalue of the entities is 60%, and the KPI would not exceed the 80%threshold. If the threshold is applied using an entity basis for thethresholds (applied to the individual KPI values as calculatedpertaining to each entity), the computing machine can determine that theKPI pertaining to one of the entities (e.g., Entity-3) satisfies thethreshold by being equal to 80%.

At block 2810, the computing machine determines whether to set anotherthreshold for the KPI. The computing machine can receive input, via thegraphical interface, indicating there is another threshold to set forthe KPI. If there is another threshold to set for the KPI, the computingmachine returns to block 2808 to set the other threshold.

If there is not another threshold to set for the KPI (block 2810), thecomputing machine determines whether to set a threshold for another KPIfor the service at block 2812. The computing machine can receive input,via the graphical interface, indicating there is a threshold to set foranother KPI for the service. In one implementation, there are a maximumnumber of thresholds that can be set for a KPI. In one implementation, asame number of states are to be set for the KPIs of a service. In oneimplementation, a same number of states are to be set for the KPIs ofall services. The service monitoring system can be coupled to a datastore that stores configuration data that specifies whether there is amaximum number of thresholds for a KPI and the value for the maximumnumber, whether a same number of states is to be set for the KPIs of aservice and the value for the number of states, and whether a samenumber of states is to be set for the KPIs of all of the service and thevalue for the number of states. If there is a threshold to set foranother KPI, the computing machine returns to block 2804 to identity theother KPI.

At block 2814, the computing machine stores the one or more thresholdsettings for the one or more KPIs for the service. The computing machineassociates the parameters for a state defined by a correspondingthreshold in a data store that is coupled to the computing machine.

As will be discussed in more detail below, implementations of thepresent disclosure provide a service-monitoring dashboard that includesKPI widgets (“widgets”) to visually represent KPIs of the service. Awidget can be a Noel gauge, a spark line, a single value, or a trendindicator. A Noel gauge is indicator of measurement as described ingreater detail below in conjunction with FIG. 40. A widget of a KPI canpresent one or more values indicating how a respective service or anaspect of a service is performing at one or more points in time. Thewidget can also illustrate (e.g., using visual indicators such as color,shading, shape, pattern, trend compared to a different time range, etc.)the KPI's current state defined by one or more thresholds of the KPI.

FIGS. 29A-B illustrate examples of a graphical interface enabling a userto set one or more thresholds for the KPI, in accordance with one ormore implementations of the present disclosure.

FIG. 29A illustrates an example GUI 2900 for receiving input for searchprocessing language 2902 for defining a search query, in accordance withone or more implementations of the present disclosure. The KPI can be inone of multiple states (e.g., normal, warning, critical). Each state canbe represented by a range of values. At a certain time, the KPI can bein one of the states depending on which range the value, which isproduced by the search query for the KPI, falls into. GUI 2900 candisplay an input box 2904 for a field to which the threshold(s) can beapplied. In particular, a threshold can be applied to the value producedby the search query defining the KPI. The value can be, for example, thefield's value extracted from an event when the search query is executed,a statistic calculated based on one or more values of the field in oneor more events located when the search query is executed, a count ofevents satisfying the search criteria that include a constraint for thefield, etc. GUI 2900 may include the name 2904 of the actual field usedin the search query or the name of an alias that defines a desiredstatistic or count to be produced by the search query. For example, thethreshold may be applied to an average response time produced by thesearch query, and the average response time can be defined by the alias“rsp_time” in the input box 2904.

FIG. 29B illustrates an example GUI 2950 for receiving input forselecting a data model for defining a search query, in accordance withone or more implementations of the present disclosure. GUI 2950 can bedisplayed if a KPI is defined using a data model.

GUI 2950 in FIG. 29B can include a statistical function 2954 to be usedfor producing a value when executing the search query of the KPI. Asshown, the statistical function 2954 is a count, and the resultingstatistic (the count value) should be compared with one or morethresholds of the KPI. The GUI 2950 also includes a button 2956 forcreating the threshold(s) for the KPI. When either button 2906 isselected from GUI 2900 or button 2956 is selected from GUI 2950, GUI3000 of FIG. 30 is displayed.

FIG. 30 illustrates an example GUI 3000 for enabling a user to set oneor more thresholds for the KPI, in accordance with one or moreimplementations of the present disclosure. Each threshold for a KPIdefines an end of a range of values, which represents one of the states.GUI 3000 can display a button 3002 for adding a threshold to the KPI. Ifbutton 3002 is selected, a GUI for facilitating user input for theparameters for the state associated with the threshold can be displayed,as discussed in greater detail below in conjunction with FIGS. 31A-C.

Referring to FIG. 30, if button 3002 is selected three times, there willbe three thresholds for the KPI. Each threshold defines an end of arange of values, which represents one of the states. GUI 3000 candisplay a UI element (e.g., column 3006) that includes sectionsrepresenting the defined states for the KPI, as described in greaterdetail below in conjunction with FIGS. 31A-C. GUI 3000 can facilitateuser input to specify a maximum value 3004 and a minimum value 3008 fordefining a scale for a widget that can be used to represent the KPI onthe service-monitoring dashboard. Some implementations of widgets forrepresenting KPIs are discussed in greater detail below in conjunctionwith FIGS. 40-42 and FIGS. 44-46.

Referring to FIG. 30, GUI 3000 can optionally include a button 3010 forreceiving input indicating whether to apply the threshold(s) to theaggregate of the KPIs of the service or to the particular KPI. Someimplementations for applying the threshold(s) to the aggregate of theKPIs of the service or to a particular KPI are discussed in greaterdetail below in conjunction with FIGS. 32-34.

FIG. 31A illustrates an example GUI 3100 for defining threshold settingsfor a KPI, in accordance with one or more implementations of the presentdisclosure. GUI 3100 is a modified view of GUI 3000, which is providedonce the user has requested to add several thresholds for a KPI viabutton 3002 of GUI 3000. In particular, in response to the user requestto add a threshold, GUI 3100 dynamically adds a GUI element in adesignated area of GUI 3100. A GUI element can be in the form of aninput box divided into several portions to receive various user inputand visually illustrate the received input. The GUI element canrepresent a specific state of the KPI. When multiple states are definedfor the KPI, several GUI elements can be presented in the GUI 3100. Forexample, the GUI elements can be presented as input boxes of the samesize and with the same input fields, and those input boxes can bepositioned horizontally, parallel to each other, and resemble individualrecords from the same table. Alternatively, other types of GUI elementscan be provided to represent the states of the KPI.

Each state of the KPI can have a name, and can be represented by a rangeof values, and a visual indicator. The range of values is defined by oneor more thresholds that can provide the minimum end and/or the maximumend of the range of values for the state. The characteristics of thestate (e.g., the name, the range of values, and a visual indicator) canbe edited via input fields of the respective GUI element.

In the example shown in FIG. 31A, GUI 3100 includes three GUI elementsrepresenting three different states of the KPI based on three addedthresholds. These states include states 3102, 3104, and 3106.

For each state, GUI 3100 can include a GUI element that displays a name(e.g., a unique name for that KPI) 3109, a threshold 3110, and a visualindicator 3112 (e.g., an icon having a distinct color for each state).The unique name 3109, a threshold 3110, and a visual indicator 3112 canbe displayed based on user input received via the input fields of therespective GUI element. For example, the name “Normal” can be specifiedfor state 3106, the name “Warning” can be specified for state 3104, thename “Critical” can be specified for state 3102.

The visual indicator 3112 can be, for example, an icon having a distinctvisual characteristic such as a color, a pattern, a shade, a shape, orany combination of color, pattern, shade and shape, as well as any othervisual characteristics. For each state, the GUI element can display adrop-down menu 3114, which when selected, displays a list of availablevisual characteristics. A user selection of a specific visualcharacteristic (e.g., a distinct color) can be received for each state.

For each state, input of a threshold value representing the minimum endof the range of values for the corresponding state of the KPI can bereceived via the threshold portion 3110 of the GUI element. The maximumend of the range of values for the corresponding state can be either apreset value or can be defined by (or based on) the threshold associatedwith the succeeding state of the KPI, where the threshold associatedwith the succeeding state is higher than the threshold associated withthe state before it.

For example, for Normal state 3106, the threshold value 0 may bereceived to represent the minimum end of the range of KPI values forthat state. The maximum end of the range of KPI values for the Normalstate 3106 can be defined based on the threshold associated with thesucceeding state (e.g., Warning state 3104) of the KPI. For example, thethreshold value 50 may be received for the Warning state 3104 of theKPI. Accordingly, the maximum end of the range of KPI values for theNormal state 3106 can be set to a number immediately preceding thethreshold value of 50 (e.g., it can be set to 49 if the values used toindicate the KPI state are integers).

The maximum end of the range of KPI values for the Warning state 3104 isdefined based on the threshold associated with the succeeding state(e.g., Critical state 3102) of the KPI. For example, the threshold value75 may be received for the Critical state 3102 of the KPI, which maycause the maximum end of the range of values for the Warning state 3104to be set to 74. The maximum end of the range of values for the higheststate (e.g., Critical state 3102) can be a preset value or an indefinitevalue.

When input is received for a threshold value for a corresponding stateof the KPI and/or a visual characteristic for an icon of thecorresponding state of the KPI, GUI 3100 reflects this input bydynamically modifying a visual appearance of a vertical UI element(e.g., column 3118) that includes sections that represent the definedstates for the KPI. Specifically, the sizes (e.g., heights) of thesections can be adjusted to visually illustrate ranges of KPI values forthe states of the KPI, and the threshold values can be visuallyrepresented as marks on the column 3118. In addition, the appearance ofeach section is modified based on the visual characteristic (e.g.,color, pattern) selected by the user for each state via a drop-down menu3114. In some implementations, once the visual characteristic isselected for a specific state, it is also illustrated by modifiedappearance (e.g., modified color or pattern) of icon 3112 positionednext to a threshold value associated with that state.

For example, if the color green is selected for the Normal state 3106, arespective section of column 3118 can be displayed with the color greento represent the Normal state 3106. In another example, if the value 50is received as input for the minimum end of a range of values for theWarning state 3104, a mark 3117 is placed on column 3118 to representthe value 50 in proportion to other marks and the overall height of thecolumn 3118. As discussed above, the size (e.g., height) of each sectionof the UI element (e.g., column) 3118 is defined by the minimum end andthe maximum end of the range of KPI values of the corresponding state.

In one implementation, GUI 3100 displays one or more pre-defined statesfor the KPI. Each predefined state is associated with at least one of apre-defined unique name, a pre-defined value representing a minimum endof a range of values, or a predefined visual indicator. Each pre-definedstate can be represented in GUI 3100 with corresponding GUI elements asdescribed above.

GUI 3100 can facilitate user input to specify a maximum value 3116 and aminimum value 3120 for the combination of the KPI states to define ascale for a widget that represents the KPI. Some implementations ofwidgets for representing KPIs are discussed in greater detail below inconjunction with FIGS. 40-42 and FIGS. 44-46. GUI 3100 can display abutton 3122 for receiving input indicating whether to apply thethreshold(s) to the aggregate KPI of the service or to the particularKPI or both. The application of threshold(s) to the aggregate KPI of theservice or to a particular KPI is discussed in more detail below inconjunction with FIG. 33.

FIGS. 31B-31C illustrate GUIs for defining threshold settings for a KPI,in accordance with an alternative implementation of the presentdisclosure. In GUI 3150 of FIG. 31B, adjacent to column 3118, a linechart 3152 is displayed. The line chart 3152 represents the KPI valuesfor the current KPI over a period of time selected from drop down menu3154. The KPI values are plotted over the period of time on a firsthorizontal axis and against a range of values set by the maximum value3116 and minimum value 3120 on a second vertical axis. In oneimplementation when a mark 3156 is added to column 3118 indicating theend of a range of values for the a particular state a horizontal line3158 is displayed along the length of line chart 3152. The horizontalline 3158 makes it easy to visually correlate the KPI values representedby line chart 3152 with the end of the range of values. For example, inFIG. 31B, with the “Critical” state having a range below 15 GB, thehorizontal line 3158 indicates that the KPI values drop below the end ofthe range four different times. This may provide information to a userthat the end of the range of values indicated by mark 3156 can beadjusted.

In GUI 3160 of FIG. 31C, the user has adjusted the position of mark3156, thereby decreasing the end of the range of values for the“Critical” state to 10 GB. Horizontal line 3158 is also lowered toreflect the change. In one implementation, the user may click and dragmark 3156 down to the desired value. In another implementation, the usermay type in the desired value. The user can tell that the KPI values nowdrop below the end of the only once, thereby limiting the number ofalerts associated with the defined threshold.

Aggregate Key Performance Indicators

FIG. 32 is a flow diagram of an implementation of a method 3200 forcalculating an aggregate KPI score for a service based on the KPIs forthe service, in accordance with one or more implementations of thepresent disclosure. The method may be performed by processing logic thatmay comprise hardware (circuitry, dedicated logic, etc.), software (suchas is run on a general purpose computer system or a dedicated machine),or a combination of both. In one implementation, the method is performedby the client computing machine. In another implementation, the methodis performed by a server computing machine coupled to the clientcomputing machine over one or more networks.

At block 3201, the computing machine identifies a service to evaluate.The service is provided by one or more entities. The computing systemcan receive user input, via one or more graphical interfaces, selectinga service to evaluate. The service can be represented by a servicedefinition that associates the service with the entities as discussed inmore detail above.

At block 3203, the computing machine identifies key performanceindicators (KPIs) for the service. The service definition representingthe service can specify KPIs available for the service, and thecomputing machine can determine the KPIs for the service from theservice definition of the service. Each KPI can pertain to a differentaspect of the service. Each KPI can be defined by a search query thatderives a value for that KPI from machine data pertaining to entitiesproviding the service. As discussed above, the entities providing theservice are identified in the service definition of the service.According to a search query, a KPI value can be derived from machinedata of all or some entities providing the service.

In some implementations, not all of the KPIs for a service are used tocalculate the aggregate KPI score for the service. For example, a KPImay solely be used for troubleshooting and/or experimental purposes andmay not necessarily contribute to providing the service or impacting theperformance of the service. The troubleshooting/experimental KPI can beexcluded from the calculation of the aggregate KPI score for theservice.

In one implementation, the computing machine uses a frequency ofmonitoring that is assigned to a KPI to determine whether to include aKPI in the calculation of the aggregate KPI score. The frequency ofmonitoring is a schedule for executing the search query that defines arespective KPI. As discussed above, the individual KPIs can representsaved searches. These saved searches can be scheduled for executionbased on the frequency of monitoring of the respective KPIs. In oneexample, the frequency of monitoring specifies a time period (e.g., 1second, 2 minutes, 10 minutes, 30 minutes, etc.) for executing thesearch query that defines a respective KPI, which then produces a valuefor the respective KPI with each execution of the search query. Inanother example, the frequency of monitoring specifies particular times(e.g., 6:00 am, 12:00 pm, 6:00 pm, etc.) for executing the search query.The values produced for the KPIs of the service, based on the frequencyof monitoring for the KPIs, can be considered when calculating a scorefor an aggregate KPI of the service, as discussed in greater detailbelow in conjunction with FIG. 34.

Alternatively, the frequency of monitoring can specify that the KPI isnot to be measured (that the search query for a KPI is not to beexecuted). For example, a troubleshooting KPI may be assigned afrequency of monitoring of zero.

In one implementation, if a frequency of monitoring is unassigned for aKPI, the KPI is automatically excluded in the calculation for theaggregate KPI score. In one implementation, if a frequency of monitoringis unassigned for a KPI, the KPI is automatically included in thecalculation for the aggregate KPI score.

The frequency of monitoring can be assigned to a KPI automatically(without any user input) based on default settings or based on specificcharacteristics of the KPI such as a service aspect associated with theKPI, a statistical function used to derive a KPI value (e.g., maximumversus average), etc. For example, different aspects of the service canbe associated with different frequencies of monitoring, and KPIs caninherit frequencies of monitoring of corresponding aspects of theservice.

Values for KPIs can be derived from machine data that is produced bydifferent sources. The sources may produce the machine data at variousfrequencies (e.g., every minute, every 10 minutes, every 30 minutes,etc.) and/or the machine data may be collected at various frequencies(e.g., every minute, every 10 minutes, every 30 minutes, etc.). Inanother example, the frequency of monitoring can be assigned to a KPIautomatically (without any user input) based on the accessibility ofmachine data associated with the KPI (associated through entitiesproviding the service). For example, an entity may be associated withmachine data that is generated at a medium frequency (e.g., every 10minutes), and the KPI for which a value is being produced using thisparticular machine data can be automatically assigned a medium frequencyfor its frequency of monitoring.

Alternatively, frequency of monitoring can be assigned to KPIs based onuser input. FIG. 33A illustrates an example GUI 3300 for creating and/orediting a KPI, including assigning a frequency of monitoring to a KPI,based on user input, in accordance with one or more implementations ofthe present disclosure. GUI 3300 for can include a button 3311 toreceive a user request to assign a frequency of monitoring to the KPIbeing created or modified. Upon activating button 3311, a user can enter(e.g., via another GUI or a command line interface) a frequency (e.g., auser defined value) for the KPI, or select a frequency from a listpresented to the user. In one example, the list may include variousfrequency types, where each frequency type is mapped to a pre-definedand/or user-defined time period. For example, the frequency types mayinclude Real Time (e.g., 1 second), High Frequency (e.g., 2 minutes),Medium Frequency (e.g., 10 minutes), Low Frequency (e.g., 30 minutes),Do Not Measure (e.g., no frequency).

The assigned frequency of monitoring of KPIs can be included in theservice definition specifying the KPIs, or in a separate data structuretogether with other settings of a KPI.

Referring to FIG. 32, at block 3205, the computing machine derives oneor more values for each of the identified KPIs. The computing machinecan cause the search query for each KPI to execute to produce acorresponding value. In one implementation, as discussed above, thesearch query for a particular KPI is executed based on a frequency ofmonitoring assigned to the particular KPI. When the frequency ofmonitoring for a KPI is set to a time period, for example, HighFrequency (e.g., 2 minutes), a value for the KPI is derived each timethe search query defining the KPI is executed every 2 minutes. Thederived value(s) for each KPI can be stored in an index. In oneimplementation, when a KPI is assigned a frequency of monitoring of DoNot Measure or is assigned a zero frequency (no frequency), no value isproduced (the search query for the KPI is not executed) for therespective KPI and no values for the respective KPI are stored in thedata store.

At block 3207, the computing machine calculates a value for an aggregateKPI score for the service using the value(s) from each of the KPIs ofthe service. The value for the aggregate KPI score indicates an overallperformance of the service. For example, a Web Hosting service may have10 KPIs and one of the 10 KPIs may have a frequency of monitoring set toDo Not Monitor. The other nine KPIs may be assigned various frequenciesof monitoring. The computing machine can access the values produced forthe nine KPIs in the data store to calculate the value for the aggregateKPI score for the service, as discussed in greater detail below inconjunction with FIG. 34. Based on the values obtained from the datastore, if the values produced by the search queries for 8 of the 9 KPIsindicate that the corresponding KPI is in a normal state, then the valuefor an aggregate KPI score may indicate that the overall performance ofthe service is normal.

An aggregate KPI score can be calculated by adding the values of allKPIs of the same service together. Alternatively, an importance of eachindividual KPI relative to other KPIs of the service is considered whencalculating the aggregate KPI score for the service. For example, a KPIcan be considered more important than other KPIs of the service if ithas a higher importance weight than the other KPIs of the service.

In some implementations, importance weights can be assigned to KPIsautomatically (without any user input) based on characteristics ofindividual KPIs. For example, different aspects of the service can beassociated with different weights, and KPIs can inherit weights ofcorresponding aspects of the service. In another example, a KPI derivingits value from machine data pertaining to a single entity can beautomatically assigned a lower weight than a KPI deriving its value frommachine data pertaining to multiple entities, etc.

Alternatively, importance weights can be assigned to KPIs based on userinput. Referring again to FIG. 33A, GUI 3300 can include a button 3309to receive a user request to assign a weight to the KPI being created ormodified. Upon selecting button 3309, a user can enter (e.g., viaanother GUI or a command line interface) a weight (e.g., a user definedvalue) for the KPI, or select a weight from a list presented to theuser. In one implementation, a greater value indicates that a greaterimportance is placed on a KPI. For example, the set of values may be1-10, where the value 10 indicates high importance of the KPI relativeto the other KPIs for the service. For example, a Web Hosting servicemay have three KPIs: (1) CPU Usage, (2) Memory Usage, and (3) RequestResponse Time. A user may provide input indicating that the RequestResponse Time KPI is the most important KPI and may assign a weight of10 to the Request Response Time KPI. The user may provide inputindicating that the CPU Usage KPI is the next most important KPI and mayassign a weight of 5 to the CPU Usage KPI. The user may provide inputindicating that the Memory Usage KPI is the least important KPI and mayassign a weight of 1 to the Memory Usage KPI.

In one implementation, a KPI is assigned an overriding weight. Theoverriding weight is a weight that overrides the importance weights ofthe other KPIs of the service. Input (e.g., user input) can be receivedfor assigning an overriding weight to a KPI. The overriding weightindicates that the status (state) of KPI should be used a minimumoverall state of the service. For example, if the state of the KPI,which has the overriding weight, is warning, and one or more other KPIsof the service have a normal state, then the service may only beconsidered in either a warning or critical state, and the normalstate(s) for the other KPIs can be disregarded.

In another example, a user can provide input that ranks the KPIs of aservice from least important to most important, and the ranking of a KPIspecifies the user selected weight for the respective KPI. For example,a user may assign a weight of 1 to the Memory Usage KPI, assign a weightof 2 to the CPU Usage KPI, and assign a weight of 3 to the RequestResponse Time KPI. The assigned weight of each KPI may be included inthe service definition specifying the KPIs, or in a separate datastructure together with other settings of a KPI.

Alternatively or in addition, a KPI can be considered more importantthan other KPIs of the service if it is measured more frequently thanthe other KPIs of the service. In other words, search queries ofdifferent KPIs of the service can be executed with different frequency(as specified by a respective frequency of monitoring) and queries ofmore important KPIs can be executed more frequently than queries of lessimportant KPIs.

As will be discussed in more detail below in conjunction with FIG. 34,the calculation of a score for an aggregate KPI may be based on ratingsassigned to different states of an individual KPI. Referring again toFIG. 33A, a user can select button 3313 for defining threshold settings,including state ratings, for a KPI to display GUI 3350 in FIG. 33B. FIG.33B illustrates an example GUI 3350 for defining threshold settings,including state ratings, for a KPI, in accordance with one or moreimplementations of the present disclosure. Similarly to GUI 3100 of FIG.31A, GUI 3350 includes horizontal GUI elements (e.g., in the form ofinput boxes) 3352, 3354 and 3356 that represent specific states of theKPI. For each state, a corresponding GUI element can display a name3359, a threshold 3360, and a visual indicator 3362 (e.g., an iconhaving a distinct color for each state). The name 3359, a threshold3360, and a visual indicator 3362 can be displayed based on user inputreceived via the input fields of the respective GUI element. GUI 3350can include a vertical GUI element (e.g., a column) 3368 that changesappearance (e.g., the size and color of its sectors) based on inputreceived for a threshold value for a corresponding state of the KPIand/or a visual characteristic for an icon of the corresponding state ofthe KPI. In some implementations, once the visual characteristic isselected for a specific state via the menu 3364, it is also illustratedby the modified appearance (e.g., modified color or pattern) of icon3362 positioned next to a threshold value associated with that state.

In addition, GUI 3350 provides for configuring a rating for each stateof the KPI. The ratings indicate which KPIs should be given more or lessconsideration in view of their current states. When calculating anaggregate KPI, a score of each individual KPI reflects the rating ofthat KPI's current state, as will be discussed in more detail below inconjunction with FIG. 34. Ratings for different KPI states can beassigned automatically (e.g., based on a range of KPI values for astate) or specified by a user. GUI 3350 can include a field 3380 thatdisplays an automatically generated rating or a rating entered orselected by a user. Field 3380 may be located next to (or in the samerow as) a horizontal GUI element representing a corresponding state.Alternatively, field 3380 can be part of the horizontal GUI element. Inone example, a user may provide input assigning a rating of 1 to theNormal State, a rating of 2 to the Warning State, and a rating of 3 tothe Critical State.

In one implementation, GUI 3350 displays a button 3372 for receivinginput indicating whether to apply the threshold(s) to the aggregate KPIof the service or to the particular KPI or both. If a threshold isconfigured to be applied to a certain individual KPI, then a specifiedaction (e.g., generate alert, add to report) will be triggered when avalue of that KPI reaches (or exceeds) the individual KPI threshold. Ifa threshold is configured to be applied to the aggregate KPI of theservice, then a specified action (e.g., create notable event, generatealert, add to incident report) will be triggered when a value (e.g., ascore) of the aggregate KPI reaches (or exceeds) the aggregate KPIthreshold. In some implementations, a threshold can be applied to bothor either the individual or aggregate KPI, and different actions or thesame action can be triggered depending on the KPI to which the thresholdis applied. The actions to be triggered can be pre-defined or specifiedby the user via a user interface (e.g., a GUI or a command lineinterface) while the user is defining thresholds or after the thresholdshave been defined. The action to be triggered in view of thresholds canbe included in the service definition identifying the respective KPI(s)or can be stored in a data structure dedicated to store various KPIsettings of a relevant KPI.

FIG. 34 is a flow diagram of an implementation of a method 3400 forcalculating a score for an aggregate KPI for the service, in accordancewith one or more implementations of the present disclosure. The methodmay be performed by processing logic that may comprise hardware(circuitry, dedicated logic, etc.), software (such as is run on ageneral purpose computer system or a dedicated machine), or acombination of both. In one implementation, the method is performed bythe client computing machine. In another implementation, the method isperformed by a server computing machine coupled to the client computingmachine over one or more networks.

At block 3402, the computing machine identifies a service to beevaluated. The service is provided by one or more entities. Thecomputing system can receive user input, via one or more graphicalinterfaces, selecting a service to evaluate.

At block 3404, the computing machine identifies key performanceindicators (KPIs) for the service. The computing machine can determinethe KPIs for the service from the service definition of the service.Each KPI indicates how a specific aspect of the service is performing ata point in time.

At block 3406, the computing machine optionally identifies a weighting(e.g., user selected weighting or automatically assigned weighting) foreach of the KPIs of the service. As discussed above, the weighting ofeach KPI can be determined from the service definition of the service ora KPI definition storing various setting of the KPI.

At block 3408, the computing machine derives one or more values for eachKPI for the service by executing a search query associated with the KPI.As discussed above, each KPI is defined by a search query that derivesthe value for a corresponding KPI from the machine data that isassociated with the one or more entities that provide the service.

As discussed above, the machine data associated with the one or moreentities that provide the same service is identified using auser-created service definition that identifies the one or more entitiesthat provide the service. The user-created service definition alsoidentifies, for each entity, identifying information for locating themachine data pertaining to that entity. In another example, theuser-created service definition also identifies, for each entity,identifying information for a user-created entity definition thatindicates how to locate the machine data pertaining to that entity. Themachine data can include for example, and is not limited to,unstructured data, log data, and wire data. The machine data associatedwith an entity can be produced by that entity. In addition oralternatively, the machine data associated with an entity can includedata about the entity, which can be collected through an API forsoftware that monitors that entity.

The computing machine can cause the search query for each KPI to executeto produce a corresponding value for a respective KPI. The search querydefining a KPI can derive the value for that KPI in part by applying alate-binding schema to machine data or, more specifically, to eventscontaining raw portions of the machine data. The search query can derivethe value for the KPI by using a late-binding schema to extract aninitial value and then performing a calculation on (e.g., applying astatistical function to) the initial value.

The values of each of the KPIs can differ at different points in time.As discussed above, the search query for a KPI can be executed based ona frequency of monitoring assigned to the particular KPI. When thefrequency of monitoring for a KPI is set to a time period, for example,Medium Frequency (e.g., 10 minutes), a value for the KPI is derived eachtime the search query defining the KPI is executed every 10 minutes. Thederived value(s) for each KPI can be stored in a data store. When a KPIis assigned a zero frequency (no frequency), no value is produced (thesearch query for the KPI is not executed) for the respective KPI.

The derived value(s) of a KPI is indicative of how an aspect of theservice is performing. In one example, the search query can derive thevalue for the KPI by applying a late-binding schema to machine datapertaining to events to extract values for a specific fields defined bythe schema. In another example, the search query can derive the valuefor that KPI by applying a late-binding schema to machine datapertaining to events to extract an initial value for a specific fielddefined by the schema and then performing a calculation on (e.g.,applying a statistical function to) the initial value to produce thecalculation result as the KPI value. In yet another example, the searchquery can derive the value for the KPI by applying a late-binding schemato machine data pertaining to events to extract an initial value forspecific fields defined by the late-binding schema to find events thathave certain values corresponding to the specific fields, and countingthe number of found events to produce the resulting number as the KPIvalue.

At block 3410, the computing machine optionally maps the value producedby a search query for each KPI to a state. As discussed above, each KPIcan have one or more states defined by one or more thresholds. Inparticular, each threshold can define an end of a range of values. Eachrange of values represents a state for the KPI. At a certain point intime or a period of time, the KPI can be in one of the states (e.g.,normal state, warning state, critical state) depending on which rangethe value, which is produced by the search query of the KPI, falls into.For example, the value produced by the Memory Usage KPI may be in therange representing a Warning State. The value produced by the CPU UsageKPI may be in the range representing a Warning State. The value producedby the Request Response Time KPI may be in the range representing aCritical State.

At block 3412, the computing machine optionally maps the state for eachKPI to a rating assigned to that particular state for a respective KPI(e.g., automatically or based on user input). For example, for aparticular KPI, a user may provide input assigning a rating of 1 to theNormal State, a rating of 2 to the Warning State, and a rating of 3 tothe Critical State. In some implementations, the same ratings areassigned to the same states across the KPIs for a service. For example,the Memory Usage KPI, CPU Usage KPI, and Request Response Time KPI for aWeb Hosting service may each have Normal State with a rating of 1, aWarning State with a rating of 2, and a Critical State with a rating of3. The computing machine can map the current state for each KPI, asdefined by the KPI value produced by the search query, to theappropriate rating. For example, the Memory Usage KPI in the WarningState can be mapped to 2. The CPU Usage KPI in the Warning State can bemapped to 2. The Request Response Time KPI in the Critical State can bemapped to 3. In some implementations, different ratings are assigned tothe same states across the KPIs for a service. For example, the MemoryUsage KPI may each have Critical State with a rating of 3, and theRequest Response Time KPI may have Critical State with a rating of 5.

At block 3414, the computing machine calculates an impact score for eachKPI. In some implementations, the impact score of each KPI can be basedon the importance weight of a corresponding KPI (e.g., weight×KPIvalue). In other implementations, the impact score of each KPI can bebased on the rating associated with a current state of a correspondingKPI (e.g., rating×KPI value). In yet other implementations, the impactscore of each KPI can be based on both the importance weight of acorresponding KPI and the rating associated with a current state of thecorresponding KPI. For example, the computing machine can apply theweight of the KPI to the rating for the state of the KPI. The impact ofa particular KPI at a particular point in time on the aggregate KPI canbe the product of the rating of the state of the KPI and the importance(weight) assigned to the KPI. In one implementation, the impact score ofa KPI can be calculated as follows:Impact Score of KPI=(weight)×(rating of state)

For example, when the weight assigned to the Memory Usage KPI is 1 andthe Memory Usage KPI is in a Warning State, the impact score of theMemory Usage KPI=1×2. When the weight assigned to the CPU Usage KPI is 2and the CPU Usage KPI is in a Warning State, the impact score of the CPUUsage KPI=2×2. When the weight assigned to the Request Response Time KPIis 3 and the Request Response Time KPI is in a Critical State, theimpact score of the Request Response Time KPI=3×3.

In another implementation, the impact score of a KPI can be calculatedas follows:Impact Score of KPI=(weight)×(rating of state)×(value)

In yet some implementations, the impact score of a KPI can be calculatedas follows:Impact Score of KPI=(weight)×(value)

At block 3416, the computing machine calculates an aggregate KPI score(“score”) for the service based on the impact scores of individual KPIsof the service. The score for the aggregate KPI indicates an overallperformance of the service. The score of the aggregate KPI can becalculated periodically (as configured by a user or based on a defaulttime interval) and can change over time based on the performance ofdifferent aspects of the service at different points in time. Forexample, the aggregate KPI score may be calculated in real time(continuously calculated until interrupted). The aggregate KPI score maybe calculated may be calculated periodically (e.g., every second).

In some implementations, the score for the aggregate KPI can bedetermined as the sum of the individual impact scores for the KPIs ofthe service. In one example, the aggregate KPI score for the Web Hostingservice can be as follows:Aggregate KPI_(Web Hosting)=(weight×rating ofstate)_(Memory Usage KPI)+(weight×rating ofstate)_(CPU Usage KPI)+(weight×rating ofstate)_(Request Response Time KPI)=(1×2)+(2×2)+(3×3)=15.

In another example, the aggregate KPI score for the Web Hosting servicecan be as follows:Aggregate KPI_(Web Hosting)=(weight×rating ofstate×value)_(Memory Usage KPI)+(weight×rating ofstate×value)_(CPU Usage KPI)+(weight×rating ofstate×value)_(Request Response Time KPI)=(1×2×60)+(2×2×55)+(3×3×80)=1060.

In yet some other implementations, the impact score of an aggregate KPIcan be calculated as a weighted average as follows:Aggregate KPI_(Web Hosting)=[(weight×rating ofstate)_(Memory Usage KPI)+(weight×rating ofstate)_(CPU Usage KPI)+(weight×rating ofstate)_(Request Response Time KPI))]/(weight_(Memory Usage KPI)+weight_(CPU Usage KPI)+weight_(Request Response Time KPI))

A KPI can have multiple values produced for the particular KPI fordifferent points in time, for example, as specified by a frequency ofmonitoring for the particular KPI. The multiple values for a KPI can bethat in a data store. In one implementation, the latest value that isproduced for the KPI is used for calculating the aggregate KPI score forthe service, and the individual impact scores used in the calculation ofthe aggregate KPI score can be the most recent impact scores of theindividual KPIs based on the most recent values for the particular KPIstored in a data store. Alternatively, a statistical function (e.g.,average, maximum, minimum, etc.) is performed on the set of the valuesthat is produced for the KPI is used for calculating the aggregate KPIscore for the service. The set of values can include the values over atime period between the last calculation of the aggregate KPI score andthe present calculation of the aggregate KPI score. The individualimpact scores used in the calculation of the aggregate KPI score can beaverage impact scores, maximum impact score, minimum impact scores, etc.over a time period between the last calculation of the aggregate KPIscore and the present calculation of the aggregate KPI score.

The individual impact scores for the KPIs can be calculated over a timerange (since the last time the KPI was calculated for the aggregate KPIscore). For example, for a Web Hosting service, the Request ResponseTime KPI may have a high frequency (e.g., every 2 minutes), the CPUUsage KPI may have a medium frequency (e.g., every 10 minutes), and theMemory Usage KPI may have a low frequency (e.g., every 30 minutes). Thatis, the value for the Memory Usage KPI can be produced every 30 minutesusing machine data received by the system over the last 30 minutes, thevalue for the CPU Usage KPI can be produced every 10 minutes usingmachine data received by the system over the last 10 minutes, and thevalue for the Request Response Time KPI can be produced every 2 minutesusing machine data received by the system over the last 2 minutes.Depending on the point in time for when the aggregate KPI score is beingcalculated, the value (e.g., and thus state) of the Memory Usage KPI maynot have been refreshed (the value is stale) because the Memory UsageKPI has a low frequency (e.g., every 30 minutes). Whereas, the value(e.g., and thus state) of the Request Response Time KPI used tocalculate the aggregate KPI score is more likely to be refreshed(reflect a more current state) because the Request Response Time KPI hasa high frequency (e.g., every 2 minutes). Accordingly, some KPIs mayhave more impact on how the score of the aggregate KPI changes overtimethan other KPIs, depending on the frequency of monitoring of each KPI.

In one implementation, the computing machine causes the display of thecalculated aggregate KPI score in one or more graphical interfaces andthe aggregate KPI score is updated in the one or more graphicalinterfaces each time the aggregate KPI score is calculated. In oneimplementation, the configuration for displaying the calculatedaggregate KPI in one or more graphical interfaces is received as input(e.g., user input), stored in a data store coupled to the computingmachine, and accessed by the computing machine.

At block 3418, the computing machine compares the score for theaggregate KPI to one or more thresholds. As discussed above with respectto FIG. 33B, one or more thresholds can be defined and can be configuredto apply to a specific individual KPI and/or an aggregate KPI includingthe specific individual KPI. The thresholds can be stored in a datastore that is coupled to the computing machine. If the thresholds areconfigured to be applied to the aggregate KPI, the computing machinecompares the score of the aggregate KPI to the thresholds. If thecomputing machine determines that the aggregate KPI score exceeds orreaches any of the thresholds, the computing machine determines whataction should be triggered in response to this comparison.

Referring to FIG. 34, at block 3420, the computing machine causes anaction be performed based on the comparison of the aggregate KPI scorewith the one or more thresholds. For example, the computing machine cangenerate an alert if the aggregate KPI score exceeds or reaches aparticular threshold (e.g., the highest threshold). In another example,the computing machine can generate a notable event if the aggregate KPIscore exceeds or reaches a particular threshold (e.g., the secondhighest threshold). In one implementation, the KPIs of multiple servicesis aggregated and used to create a notable event. In one implementation,the configuration for which of one or more actions to be performed isreceived as input (e.g., user input), stored in a data store coupled tothe computing machine, and accessed by the computing machine.

Correlation Search and KPI Distribution Thresholding

As discussed above, the aggregate KPI score a service can be used togenerate notable events and/or alarms, according to one or moreimplementations of the present disclosure. In another implementation, acorrelation search is created and used to generate notable event(s)and/or alarm(s). A correlation search can be created to determine thestatus of a set of KPIs for a service over a defined window of time.Thresholds can be set on the distribution of the state of eachindividual KPI and if the distribution thresholds are exceeded then analert/alarm can be generated.

The correlation search can be based on a discrete mathematicalcalculation. For example, the correlation search can include, for eachKPI included in the correlation search, the following:(sum_crit>threshold_crit) &&((sum_crit+sum_warn)>(threshold_crit+threshold_warn)) &&((sum_crit+sum_warn+sum_normal)>(threshold_crit+threshold_warn+threshold_normal))

Input (e.g., user input) can be received that defines one or morethresholds for the counts of each state in a defined (e.g.,user-defined) time window for each KPI. The thresholds define adistribution for the respective KPI. The distribution shift betweenstates for the respective KPI can be determined. When the distributionfor a respective KPI shifts toward a particular state (e.g., criticalstate), the KPI can be categorized accordingly. The distribution shiftfor each KPI can be determined, and each KPI can be categorizedaccordingly. When the KPIs for a service a categorized, the categorizedKPIs can be compared to criteria for triggering a notable event. If thecriteria are satisfied, a notable event can be triggered.

For example, a Web Hosting service may have three KPIs: (1) CPU Usage,(2) Memory Usage, and (3) Request Response Time. The counts for eachstate a defined (e.g., user-defined) time window for the CPU Usage KPIcan be determined, and the distribution thresholds can be applied to thecounts. The distribution for the CPU Usage KPI may shift towards acritical state, and the CPU Usage KPI is flagged as criticalaccordingly. The counts for each state in a defined time window for theMemory Usage KPI can be determined, and the distribution thresholds forthe Memory Usage KPI may also shift towards a critical state, and theMemory Usage KPI is flagged as critical accordingly.

The counts of each state in a defined time window for the RequestResponse Time KPI can be determined, and the distribution thresholds forthe Request Response Time KPI can be applied to the counts. Thedistribution for the Request Response Time KPI may also shift towards acritical state, and the Request Response Time KPI is flagged as criticalaccordingly. The categories for the KPIs can be compared to the one ormore criteria for triggering a notable event, and a notable event istriggered as a result of each of the CPU Usage KPI, Memory Usage KPI,and Request Response Time KPI being flagged as critical.

Input (e.g., user input) can be received specifying one or more criteriafor triggering a notable event. For example, the criteria may be thatwhen all of the KPIs in the correlation search for a service are flagged(categorized) a critical state, a notable event is triggered. In anotherexample, the criteria may be that when a particular KPIs is flagged aparticular state for a particular number of times, a notable event istriggered. Each KPI can be assigned a set of criteria.

For example, a Web Hosting service may have three KPIs: (1) CPU Usage,(2) Memory Usage, and (3) Request Response Time. The counts of eachstate in a defined (e.g., user-defined) time window for the CPU UsageKPI can be determined, and the distribution thresholds can be applied tothe counts. The distribution for the CPU Usage KPI may shift towards acritical state, and the CPU Usage KPI is flagged as criticalaccordingly. The counts of each state in a defined time window for theMemory Usage KPI can be determined, and the distribution thresholds forthe Memory Usage KPI can be applied to the counts. The distribution forthe Memory Usage KPI may also shift towards a critical state, and theMemory Usage KPI is flagged as critical accordingly. The counts of eachstate in a defined time window for the Request Response Time KPI can bedetermined, and the distribution thresholds for the Request ResponseTime KPI can be applied to the counts. The distribution for the RequestResponse Time KPI may also shift towards a critical state, and theRequest Response Time KPI is flagged as critical accordingly. Thecategories for the KPIs can be compared to the one or more criteria fortriggering a notable event, and a notable event is triggered as a resultof each of the CPU Usage KPI, Memory Usage KPI, and Request ResponseTime KPI being flagged as critical.

Example Service-Monitoring Dashboard

FIG. 35 is a flow diagram of an implementation of a method 3500 forcreating a service-monitoring dashboard, in accordance with one or moreimplementations of the present disclosure. The method may be performedby processing logic that may comprise hardware (circuitry, dedicatedlogic, etc.), software (such as is run on a general purpose computersystem or a dedicated machine), or a combination of both. In oneimplementation, the method is performed by the client computing machine.In another implementation, the method is performed by a server computingmachine coupled to the client computing machine over one or morenetworks.

At block 3501, the computing machine causes display of adashboard-creation graphical interface that includes a modifiabledashboard template, and a KPI-selection interface. A modifiabledashboard template is part of a graphical interface to receive input forediting/creating a custom service-monitoring dashboard. A modifiabledashboard template is described in greater detail below in conjunctionwith FIG. 36B. The display of the dashboard-creation graphical interfacecan be caused, for example, by a user selecting to create aservice-monitoring dashboard from a GUI. FIG. 36A illustrates an exampleGUI 3650 for creating and/or editing a service-monitoring dashboard, inaccordance with one or more implementations of the present disclosure.In one implementation, GUI 3650 includes a menu item, such asService-Monitoring Dashboards 3652, which when selected can present alist 3656 of existing service-monitoring dashboards that have alreadybeen created. The list 3656 can represent service-monitoring dashboardsthat have data that is stored in a data store for displaying theservice-monitoring dashboards. Each service-monitoring dashboard in thelist 3656 can include a button 3658 for requesting a drop-down menulisting editing options to edit the corresponding service-monitoringdashboard. Editing can include editing the service-monitoring dashboardand/or deleting the service-monitoring dashboard. When an editing optionis selected from the drop-down menu, one or more additional GUIs can bedisplayed for editing the service-monitoring dashboard.

The dashboard creation graphical interface can be a wizard or any othertype of tool for creating a service-monitoring dashboard that presents avisual overview of how one or more services and/or one or more aspectsof the services are performing. The services can be part of an ITenvironment and can include, for example, a web hosting service, anemail service, a database service, a revision control service, a sandboxservice, a networking service, etc. A service can be provided by one ormore entities such as host machines, virtual machines, switches,firewalls, routers, sensors, etc. Each entity can be associated withmachine data that can have different formats and/or use differentaliases for the entity. As discussed above, each service can beassociated with one or more KPIs indicating how aspects of the serviceare performing. The KPI-selection interface of the dashboard creationGUI allows a user to select KPIs for monitoring the performance of oneor more services, and the modifiable dashboard template of the dashboardcreation GUI allows the user to specify how these KPIs should bepresented on a service-monitoring dashboard that will be created basedon the dashboard template. The dashboard template can also define theoverall look of the service-monitoring dashboard. The dashboard templatefor the particular service-monitoring dashboard can be saved, andsubsequently, the service-monitoring dashboard can be generated fordisplay based on the customized dashboard template and KPI valuesderived from machine data, as will be discussed in more details below.

GUI 3650 can include a button 3654 that a user can activate to proceedto the creation of a service-monitoring dashboard, which can lead to GUI3600 of FIG. 36B. FIG. 36B illustrates an example dashboard-creation GUI3600 for creating a service-monitoring dashboard, in accordance with oneor more implementations of the present disclosure. GUI 3600 includes amodifiable dashboard template 3608 and a KPI-selection interface 3606for selecting a key performance indicator (KPI) of a service. GUI 3600can facilitate input (e.g., user input) of a name 3602 of the particularservice-monitoring dashboard that is being created and/or edited. GUI3600 can include a button 3612 for storing the dashboard template 3608for creating the service-monitoring dashboard. GUI 3600 can display aset of identifiers 3604, each corresponding to a service. The set ofidentifies 3604 is described in greater detail below. GUI 3600 can alsoinclude a configuration interface 3610 for configuring style settingspertaining to the service-monitoring dashboard. The configurationinterface 3610 is described in greater detail below. GUI 3600 can alsoinclude a customization toolbar 3601 for customizing theservice-monitoring dashboard as described in greater detail below inconjunction with FIG. 35. The configuration interface 3610 can alsoinclude entity identifiers and facilitate input (e.g., user input) forselecting entity identifier of entities to be included in theservice-monitoring dashboard.

Returning to FIG. 35, at block 3503, the computing machine optionallyreceives, via the dashboard-creation graphical interface, input forcustomizing an image for the service-monitoring dashboard and causes thecustomized image to be displayed in the dashboard-creation graphicalinterface at block 3505. In one example, the computing machineoptionally receives, via the dashboard-creation graphical interface, aselection of a background image for the service-monitoring dashboard andcauses the selected background image to be displayed in thedashboard-creation graphical interface. The computing machine candisplay the selected background image in the modifiable dashboardtemplate. FIG. 37 illustrates an example GUI 3700 for adashboard-creation graphical interface including a user selectedbackground image, in accordance with one or more implementations of thepresent disclosure. GUI 3700 displays the user selected image 3708 inthe modifiable dashboard template 3710.

Referring again to FIG. 35, in another example, at block 3503, thecomputing machine optionally receives input (e.g., user input) via acustomization toolbar (e.g., customization toolbar 3601 in FIG. 36B) forcustomizing an image for the service-monitoring dashboard. Thecustomization toolbar can be a graphical interface containing drawingtools to customize a service-monitoring dashboard to define, forexample, flow charts, text and connections between different elements onthe service-monitoring dashboard. For example, the computing machine canreceive input of a user drawing a flow chart or a representation of anenvironment (e.g., IT environment). In another example, the computingmachine can receive input of a user drawing a representation of anentity and/or service. In another example, the computing machine canreceive input of a user selection of an image to represent of an entityand/or service.

At block 3507, the computing machine receives, through the KPI-selectioninterface, a selection of a particular KPI for a service. As discussedabove, each KPI indicates how an aspect of the service is performing atone or more points in time. A KPI is defined by a search query thatderives one or more values for the KPI from the machine data associatedwith the one or more entities that provide the service whose performanceis reflected by the KPI.

In one example, prior to receiving the selection of the particular KPI,the computing machine causes display of a context panel graphicalinterface in the dashboard-creation graphical interface that containsservice identifiers for the services (e.g., all of the services) withinan environment (e.g., IT environment). The computing machine can receiveinput, for example, of a user selecting one or more of the serviceidentifiers, and dragging and placing one or more of the serviceidentifiers on the dashboard template. In another example, the computingmachine causes display of a search box to receive input for filteringthe service identifiers for the services.

In another example, prior to receiving the selection of the particularKPI, the computing machine causes display of a drop-down menu ofselectable services in the KPI selection interface, and receives aselection of one of the services from the drop-down menu. In someimplementations, selectable services can be displayed as identifierscorresponding to individual services, where each identifier can be, forexample, the name of a particular service or the name of a servicedefinition representing the particular service. As discussed in moredetail above, a service definition can associate the service with one ormore entities (and thereby with heterogeneous machine data pertaining tothe entities) providing the service, and can specify one or more KPIscreated for the service to monitor the performance of different aspectsof the service.

In response to the user selection of a particular service, the computingmachine can cause display of a list of KPIs associated with the selectedservice in the KPI selection interface, and can receive the userselection of the particular KPI from this list.

Referring again to FIG. 37, a user may select Web Hosting service 3701in FIG. 37 from the set of KPI identifiers 3702, and in response to theselection of the Web Hosting service 3701, the computing machine cancause display of a set of KPIs available for the Web Hosting service3701. FIG. 38 illustrates an example GUI 3800 for displaying a set ofKPIs associated with a selected service, in accordance with one or moreimplementations of the present disclosure. GUI 3800 can be a pop-upwindow that includes a drop-down menu 3801, which when selected,displays a set of KPIs (e.g., Request Response Time and CPU Usage)associated with the service (e.g., Web Hosting service) corresponding tothe selected service identifier. The user can then select a particularKPI from the menu. In another implementation, GUI 3800 also displays anaggregate KPI associated with the selected service, which can beselected to be represented by a KPI widget in the dashboard template fordisplay in the service-monitoring dashboard.

Returning to FIG. 35, at block 3509, the computing machine receives aselection of a location for placing the selected KPI in the dashboardtemplate for displaying a KPI widget in a dashboard. Each KPI widget canprovide a numerical or graphical representation of one or more valuesfor a corresponding KPI or service health score (aggregate KPI for aservice) indicating how a service or an aspect of a service isperforming at one or more points in time. For example, a user can selectthe desired location for a KPI widget by clicking (or otherwiseindicating) a desired area in the dashboard template. Alternatively, auser can select the desired location by dragging the selected KPI (e.g.,its identifier in the form of a KPI name), and dropping the selected KPIat the desired location in the dashboard template. For example, when theuser selects the KPI, a default KPI widget is automatically displayed ata default location in the dashboard template. The user can then selectthe location by dragging and dropping the default KPI widget at thedesired location. As will be discussed in greater detail below inconjunction with FIGS. 40-42 and FIGS. 44-46, a KPI widget is a KPIidentifier that provides a numerical and/or visual representation of oneor more values for the selected KPI. A KPI widget can be, for example, aNoel gauge, a spark line, a single value, a trend indicator, etc.

At block 3511, the computing machine receives a selection of one or morestyle settings for a KPI identifier (a KPI widget) to be displayed inthe service-monitoring dashboard. For example, after the user selectsthe KPI, the user can provide input for creating and/or editing a titlefor the KPI. In one implementation, the computing machine causes thetitle that is already assigned to the selected KPI, for example via GUI2200 in FIG. 22, to be displayed at the selected location in thedashboard template. In another example, after the user selects the KPI,the user is presented with available style settings, and the user canthen select one or more of the style settings for the KPI widget to bedisplayed in the dashboard. In another example, in which a default KPIwidget is displayed in response to the user selection of the KPI, theuser can choose one or more of the available style setting(s) to replaceor modify the default KPI widget. Style settings define how the KPIwidget should be presented and can specify, for example, the shape ofthe widget, the size of the widget, the name of the widget, the metricunit of a KPI value, and/or other visual characteristics of the widget.Some implementations for receiving a selection of style setting(s) for aKPI widget to be displayed in the dashboard are discussed in greaterdetail below in conjunction with FIG. 39. At block 3513, the computingmachine causes display of a KPI identifier, such as a KPI widget, forthe selected KPI at the selected location in the dashboard template. TheKPI widget that is displayed in the dashboard template can be displayedusing the selected style settings. The computing machine can receivefurther input (e.g., user input) for resizing a KPI widget via an inputdevice (e.g., mouse, touch screen, etc.,) For example, the computingdevice may receive user input via mouse device resizing (e.g.,stretching, shrinking) the KPI widget.

FIG. 39 illustrates an example GUI 3900 facilitating user input forselecting a location in the dashboard template and style settings for aKPI widget, editing the service-monitoring dashboard by editing thedashboard template for the service-monitoring dashboard, and displayingthe KPI widget in the dashboard template, in accordance with one or moreimplementations of the present disclosure. GUI 3900 includes aconfiguration interface 3906 to display a set of selectable thumbnailimages (or icons or buttons) 3911 representing different types or stylesof KPI widgets. The KPI widget styles can include, for example, and notlimited to, a single value widget, a spark line widget, a Noel gaugewidget, and a trend indicator widget. Configuration interface 3905 candisplay a single value widget thumbnail image 3907, a spark line widgetthumbnail image 3908, a Noel gauge widget thumbnail image 3909, and atrend indicator widget thumbnail image 3910. For example, a user mayhave selected the Web Hosting service 3901, dragged the Web Hostingservice 3901, and dropped the Web Hosting service 3901 on location 3905.The user may also have selected the CPU Usage KPI for the Web Hostingservice 3901 and the Noel gauge widget thumbnail image 3909 to displaythe KPI widget for the CPU Usage KPI at the location 3905. In response,the computing machine can cause display of the Noel Gauge widget for theselected KPI (e.g., CPU Usage KPI) at the selected location (e.g.,location 3905) in the dashboard template 3903. Some implementations ofwidgets for representing KPIs are discussed in greater detail below inconjunction with FIGS. 40-42 and FIGS. 44-46. In response to a userselection of a style setting for the KPI widget, one or more GUIs can bepresented for customizing the selected KPI widget for the KPI. Input canbe received via the GUIs to select a label for a KPI widget and themetric unit to be used for the KPI value with the KPI widget.

In one implementation, GUI 3900 includes an icon 3914 in thecustomization toolbar, which can be selected by a user, for defining oneor more search queries. The search queries may produce resultspertaining to one or more entities. For example, icon 3914 may beselected and an identifier 3918 for a search widget can be displayed inthe dashboard template 3903. The identifier 3918 for the search widgetcan be the search widget itself, as illustrated in FIG. 39. The searchwidget can be a shape (e.g., box) and can display results (e.g., valueproduced by a corresponding search query) in the shape in theservice-monitoring dashboard when the search query is executed fordisplaying the service-monitoring dashboard to a user.

The identifier 3918 can be displayed in a default location in thedashboard template 3903 and a user can optionally select a new locationfor the identifier 3918. The location of the identifier 3918 in thedashboard template specifies the location of the search widget in theservice-monitoring dashboard when the service-monitoring dashboard isdisplayed to a user. GUI 3900 can display a search definition box (e.g.,box 3915) that corresponds to the search query. A user can provide inputfor the criteria for the search query via the search definition box(e.g., box 3915). For example, the search query may produce a statscount for a particular entity. The input pertaining to the search queryis stored as part of the dashboard template. The search query can beexecuted when the service-monitoring dashboard is displayed to a userand the search widget can display the results from executing the searchquery.

Referring to FIG. 35, in one implementation, the computing machinereceives input (e.g., user input), via the dashboard-creation graphicalinterface, of a time range to use for the KPI widget, editing theservice-monitoring dashboard, and clearing data in the dashboardtemplate.

At block 3515, the computing machine stores the resulting dashboardtemplate in a data store. The dashboard template can be saved inresponse to a user request. For example, a request to save the dashboardtemplate may be received upon selection of a save button (e.g., savebutton 3612 in GUI 3600 of FIG. 36).

Referring to FIG. 35, at block 3517, the computing machine can receive auser request for a service-monitoring dashboard, and can then generateand cause display of the service-monitoring dashboard based on thedashboard template at block 3519. Some implementations for causingdisplay of a service-monitoring dashboard based on the dashboardtemplate are discussed in greater detail below in conjunction with FIG.47.

FIG. 40 illustrates an example Noel gauge widget 4000, in accordancewith one or more implementations of the present disclosure. Noel gaugewidget 4000 can have a shape 4001 with an empty space 4002 and with oneend 4004 corresponding to a minimum KPI value and the other end 4006corresponding to a maximum KPI value. The minimum value and maximumvalue can be user-defined values, for example, received via fields3116,3120 in GUI 3100 in FIG. 31A, as discussed above. Referring to FIG.40, the value produced by the search query defining the KPI can berepresented by filling in the empty space 4002 of the shape 4001. Thisfiller can be displayed using a color 4003 to represent the currentstate (e.g., normal, warning, critical) of the KPI according to thevalue produced by the search query. The color can be based on inputreceived when one or more thresholds were created for the KPI. The Noelgauge widget 4000 can also display the actual value 4007 produced by thesearch query defining the KPI. The value 4007 can be of a nominal coloror can be of a color representative of the state to which the valueproduced by the search query corresponds. A user can provide input, viathe dashboard-creation graphical interface, indicating whether to applya nominal color or color representative of the state.

The Noel gauge widget 4000 can display a label 4005 (e.g., RequestResponse Time) to describe the KPI and the metric unit 4009 (e.g., ms(milliseconds)) used for the KPI value. If the KPI value 4007 exceedsthe maximum value represented by the second end 4006 of the shape 4001of the Noel gauge widget 4000, the shape 4001 is displayed as beingfully filled and can include an additional visual indicator representingthat the KPI value 4007 exceeded the maximum value represented by thesecond end 4006 of the shape 4001 of the Noel gauge widget 4000.

The value 4007 can be produced by executing the search query of the KPI.The execution can be real-time (continuous execution until interrupted)or relative (based on a specific request or scheduled time). Inaddition, the machine data used by the search query to produce eachvalue can be based on a time range. The time range can be user-definedtime range. For example, before displaying a service-monitoringdashboard generated based on the dashboard template, a user can provideinput specifying the time range. The input can be received, for example,via a drop-down menu 3912 in GUI 3900 in FIG. 39. The initial timerange, received via GUI 3900, can be stored with the dashboard templatein a data store and subsequently used for producing the values for theKPI to be displayed in the service-monitoring dashboard.

When drop-down menu 3912 is selected by a user, GUI 4300 in FIG. 43 canbe displayed. FIG. 43 illustrates an example GUI 4300 for facilitatinguser input specifying a time range to use when executing a search querydefining a KPI, in accordance with one or more implementations of thepresent disclosure. For real-time execution, for example, used to updatethe service-monitoring dashboard in real-time, the time range formachine data can be a specified time window (e.g., 30-second window,1-minute window, 1-hour window, etc.) from the execution time (e.g.,each time the query is executed, the events with timestamps within thespecified time window from the query execution time will be used). Forrelative execution, the time range can be historical (e.g., yesterday,previous week, etc.) or based on a specified time window from therequested time or scheduled time (e.g., last 15 minutes, last 4 hours,etc.). For example, the historical time range “Yesterday” 4304 can beselected for relative execution. In another example, the window timerange “Last 15 minutes” 4305 can be selected for relative execution.

Referring to FIG. 40, the KPI may be for Request Response Time for a WebHosting service. The time range “Last 15 minutes” may be selected forthe service-monitoring dashboard presented to a user, and the value 4007(e.g., 1.41) produced by the search query defining the Request ResponseTime KPI can be the average response time using the last 15 minutes ofmachine data associated with the entities providing the Web Hostingservice from the time of the request. FIG. 42 illustrates an example GUI4200 illustrating a search query and a search result for a Noel gaugewidget, a single value widget, and a trend indicator widget, inaccordance with one or more implementations of the present disclosure. Asingle value widget is discussed in greater detail below in conjunctionwith FIG. 41. A trend indicator widget is discussed in greater detailbelow in conjunction with FIG. 46. Referring to FIG. 42, the KPI may befor Request Response Time. The KPI may be defined by a search query 4501that outputs a search result having a single value 4203 (e.g., 1.41) fora Noel gauge widget, a single value widget, and/or a trend indicatorwidget. The search query 4201 can include a statistical function 4205(e.g., average) to produce the single value (e.g., value 4203) torepresent response time using machine data from the Last 15 minutes4207.

FIG. 41 illustrates an example single value widget 4100, in accordancewith one or more implementations of the present disclosure. Single valuewidget 4100 can include the value 4107, produced by the search querydefining the KPI, in a shape 4101 (e.g., box). The shape can be coloredusing a color 4103 representative of the state (e.g., normal, warning,critical) to which the value produced by the search query corresponds.The value 4107 can be also colored using a nominal color or a colorrepresentative of the state to which the value produced by the searchquery corresponds. The single value widget 4100 can display a label todescribe the KPI and the metric unit used for the KPI. A user canprovide input, via the dashboard-creation graphical interface,indicating whether to apply a nominal color or color representative ofthe state.

The machine data used by the search query to produce the value 4107 isbased on a time range (e.g., user selected time range). For example, theKPI may be fore Request Response Time for a Web Hosting service. Thetime range “Last 15 minutes” may be selected for the service-monitoringdashboard presented to a user. The value 4107 (e.g., 1.41) produced bythe search query defining the Request Response Time KPI can be theaverage response time using the last 15 minutes of machine dataassociated with the entities providing the Web Hosting service from thetime of the request.

FIG. 44 illustrates spark line widget 4400, in accordance with one ormore implementations of the present disclosure. Spark line widget 4400can include two shapes (e.g., box 4405 and rectangular box 4402). Oneshape (e.g., box 4405) of the spark line widget 4400 can include a value4407, which is described in greater detail below. The shape (e.g., box4405) can be colored using a color 4406 representative of the state(e.g., normal, warning, critical) to which the value 4407 corresponds.The value 4407 can be also be colored using a nominal color or a colorrepresentative of the state to which the value 4407 corresponds. A usercan provide input, via the dashboard-creation graphical interface,indicating whether to apply a nominal color or color representative ofthe state.

Another shape (e.g., rectangular box 4402) in the spark line widget 4400can include a graph 4401 (e.g., line graph), which is described ingreater detail below, that includes multiple data points. The shape(e.g., rectangular box 4402) containing the graph 4401 can be coloredusing a color representative of the state (e.g., normal, warning,critical) of which a corresponding data point (e.g., latest data point)falls into. The graph 4401 can be colored using a color representativeof the state (e.g., normal, warning, critical) of which a correspondingdata point falls into. For example, the graph 4401 may be a line graphthat transitions between green, yellow, red, depending on the value of adata point in the line graph. In one implementation, input (e.g., userinput) can be received, via the service-monitoring dashboard, of aselection device hovering over a particular point in the line graph, andinformation (e.g., data value, time, and color) corresponding to theparticular point in the line graph can be displayed in theservice-monitoring dashboard, for example, in the spark line widget4400. The spark line widget 4400 can display a label to describe the KPIand the metric unit used for the KPI.

The spark line widget 4400 is showing data in a time series graph withthe graph 4401, as compared to a single value widget (e.g., single valuewidget 4100) and a Noel gauge widget (e.g., Noel gauge widget 4000) thatdisplay a single data point, for example as illustrated in FIG. 42. Thedata points in the graph 4401 can represent what the values, produced bythe search query defining the KPI, have been over a time range (e.g.,time range selected in GUI 4300). FIG. 45 illustrates an example GUI4500 illustrating a search query and search results for a spark linewidget, in accordance with one or more implementations of the presentdisclosure. The KPI may be for Request Response Time. The KPI may bedefined by a search query 4501 that produces multiple values, forexample, to be used for a spark line widget. A user may have selected atime range of “Last 15 minutes” 4507 (e.g., time range selected in GUI4300). The machine data used by the search query 4501 to produce thesearch results can be based on the last 15 minutes. For example, thesearch results can include a value for each minute in the last 15minutes. The values 4503 in the search results can be used as datapoints to plot a graph (e.g., graph 4401 in FIG. 44) in the spark linewidget. Referring to FIG. 44, the graph 4401 is from data over a periodof time (e.g., Last 15 minutes). The graph 4401 is made of data points(e.g., 15 values 4503 in search results in FIG. 45). Each data point isan aggregate from the data for a shorter period of time (e.g., unit oftime). For example, if the time range “Last 15 minutes” is selected,each data point in the graph 4401 represents a unit of time in the last15 minutes. For example, the unit of time may be one minute, and thegraph contains 15 data points, one for each minute for the last 15minutes. Each data point can be the average response time (e.g.,avg(spent) in search query 4501 in FIG. 45) for the correspondingminute. In another example, if the time range “Last 4 hours” isselected, and the unit of time used for the graph 4401 is 15 minutes,then the graph 4401 would be made from 16 data points.

In one implementation, the value 4407 in the other shape (e.g., box4405) in the spark line widget 4400 represents the latest value in thetime range. For example, the value 4407 (e.g., 1.32) can represent thelast data point 4403 in the graph 4401. If the time range “Last 15minutes” is selected, the value 4407 (e.g., 1.32) can represent theaverage response time of the data in that last minute of the 15 minutetime range.

In another implementation, the value 4407 is the first data point in thegraph 4401. In another implementation, the value 4407 represents anaggregate of the data in the graph 4401. For example, a statisticalfunction can be performed on using the data points for the time range(e.g., Last 15 minutes) for the value 4407. For example, the value 4407may be the average of all of the points in the graph 4401, the maximumvalue from all of the points in the graph 4401, the mean of all of thepoints in the graph 4401. Input (e.g., user input) can be received, forexample, via the dashboard-creation graphical interface, specifying type(e.g. latest, first, average, maximum, mean) of value to be representedby value 4407.

FIG. 46 illustrates a trend indicator widget 4600, in accordance withone or more implementations of the present disclosure. Trend indicatorwidget 4600 can include a shape 4601 (e.g., rectangular box) thatincludes a value 4607, produced by the search query defining the KPI, inanother shape 4601 (e.g., box) and an arrow 4605. The shape 4601containing the value 4607 can be colored using a color 4603representative of the state (e.g., normal, warning, critical) of whichthe value 4607 produced by the search query falls into. The value 4607can be of a nominal color or can be of a color representative of thestate for which the value produced by the search query falls into. Auser can provide input, via the dashboard-creation graphical interface,indicating whether to apply a nominal color or color representative ofthe state. The trend indicator widget 4600 can display a label todescribe the KPI and the metric unit used for the KPI.

The arrow 4605 can indicate a trend pertaining to the KPI by pointing ina direction. For example, the arrow 4605 can point in a general updirection to indicate a positive or increasing trend, the arrow 4605 canpoint in a general down direction to indicate a negative or decreasingtrend, or the arrow 4605 can point in a general horizontal direction toindicate no change in the KPI. The direction of the arrow 4605 in thetrend indicator widget 4600 may change when a KPI is being updated, forexample, in a service-monitoring dashboard, depending on the currenttrend at the time the KPI is being updated.

In one implementation, a color is assigned to each trend (e.g.,increasing trend, decreasing trend). The arrow 4605 can be of a nominalcolor or can be of a color representative of the determined trend. Auser can provide input, via the dashboard-creation graphical interface,indicating whether to apply a nominal color or color representative ofthe trend. The shape 4607 can be of a nominal color or can be of a colorrepresentative of the determined trend. A user can provide input, viathe dashboard-creation graphical interface, indicating whether to applya nominal color or color representative of the trend.

In one implementation, the trend represented by the arrow 4605 is ofwhether the value 4607 has been increasing or decreasing in a selectedtime range relative to the last time the KPI was calculated. Forexample, if the time range “Last 15 minutes” is selected, the average ofthe data points of the last 15 minutes is calculated, and the arrow 4605can indicate whether the average of the data points of the last 15minutes is greater that than the average calculated from the time range(e.g., 15 minutes) prior. In one implementation, the trend indicatorwidget 4600 includes a percentage indicator indicating a percentage ofthe value 4607 increasing or decreasing in a selected time rangerelative to the last time the KPI was calculated.

In another implementation, the arrow 4605 indicates whether the lastvalue for the last data point in the last 15 minutes is greater than thevalue immediately before the last data point.

The machine data used by the search query to produce the value 4607 isbased on a time range (e.g., user selected time range). For example, theKPI may be fore Request Response Time for a Web Hosting service. Thetime range “Last 15 minutes” may be selected for the service-monitoringdashboard presented to a user. The value 4607 (e.g., 1.41) produced bythe search query defining the Request Response Time KPI can be theaverage response time using the last 15 minutes of machine dataassociated with the entities providing the Web Hosting service from thetime of the request.

As discussed above, once the dashboard template is defined, it can besaved, and then used to generate a service-monitoring dashboard fordisplay. The dashboard template can identify the KPIs selected for theservice-monitoring dashboard, KPI widgets to be displayed for the KPIsin the service-monitoring dashboard, locations in the service-monitoringdashboard for displaying the KPI widgets, visual characteristics of theKPI widgets, and other information (e.g., the background image for theservice-monitoring dashboard, an initial time range for theservice-monitoring dashboard).

FIG. 47A is a flow diagram of an implementation of a method 4750 forcreating and causing for display a service-monitoring dashboard, inaccordance with one or more implementations of the present disclosure.The method may be performed by processing logic that may comprisehardware (circuitry, dedicated logic, etc.), software (such as is run ona general purpose computer system or a dedicated machine), or acombination of both. In one implementation, the method is performed bythe client computing machine. In another implementation, the method isperformed by a server computing machine coupled to the client computingmachine over one or more networks.

At block 4751, the computing machine identifies one or more keyperformance indicators (KPIs) for one or more services to be monitoredvia a service-monitoring dashboard. A service can be provided by one ormore entities. Each entity can be associated with machine data. Themachine data can include unstructured data, log data, and/or wire data.The machine data associated with an entity can include data collectedfrom an API for software that monitors that entity.

A KPI can be defined by a search query that derives one or more valuesfrom machine data associated with the one or more entities that providethe service. Each KPI can be defined by a search query that is eitherentered by a user or generated through a graphical interface. In oneimplementation, the computing machine accesses a dashboard template thatis stored in a data store that includes information identifying the KPIsto be displayed in the service-monitoring dashboard. In oneimplementation, the dashboard template specifies a service definitionthat associates the service with the entities providing the service,specifies the KPIs of the service, and also specifies the search queriesfor the KPIs. As discussed above, the search query defining a KPI canderive one or more values for the KPI using a late-binding schema thatit applies to machine data. In some implementations, the servicedefinition identified by the dashboard template can also includeinformation on predefined states for a KPI and various visual indicatorsthat should be used to illustrate states of the KPI in the dashboard.

The computing machine can optionally receive input (e.g., user input)identifying one or more ad hoc searches to be monitored via theservice-monitoring dashboard without selecting services or KPIs.

At block 4753, the computing machine identifies a time range. The timerange can be a default time range or a time range specified in thedashboard template. The machine data can be represented as events. Thetime range can be used to indicate which events to use for the searchqueries for the identified KPIs.

At block 4755, for each KPI, the computing machine identifies a KPIwidget style to represent the respective KPI. In one implementation, thecomputing machine accesses the dashboard template that includesinformation identifying the KPI widget style to use for each KPI. Asdiscussed above, examples of KPI widget styles can include a Noel gaugewidget style, a single value widget style, a spark line widget style,and a trend indicator widget style. The computing machine can alsoobtain, from the dashboard template, additional visual characteristicsfor each KPI widget, such as, the name of the widget, the metric unit ofthe KPI value, settings for using nominal colors or colors to representstates and/or trends, the type of value to be represented in KPI widget(e.g., the type of value to be represented by value 4407 in a spark linewidget), etc.

The KPIs widget styles can display data differently for representing arespective KPI. The computing machine can produce a set of values and/ora value, depending on the KPI widget style for a respective KPI. If theKPI widget style represents the respective KPI using values for multiplepoints in time in the time range, method 4750 proceeds to block 4757.Alternatively, if the KPI widget style represents the respective KPIusing a single value during the time range, method 4750 proceeds toblock 4759.

At block 4759, if the KPI widget style represents the respective KPIusing a single value, the computing machine causes a value to beproduced from a set of machine data or events whose timestamps arewithin the time range. The value may be a statistic calculated based onone or more values extracted from a specific field in the set of machinedata or events when the search query is executed. The statistic may bean average of the extracted values, a mean of the extracted values, amaximum of the extracted values, a last value of the extracted values,etc. A single value widget style, a Noel gauge widget style, and trendindicator widget style can represent a KPI using a single value.

The search query that defines a respective KPI may produce a singlevalue which a KPI widget style can use. The computing machine can causethe search query to be executed to produce the value. The computingmachine can send the search query to an event processing system. Asdiscussed above, machine data can be represented as events. The machinedata used to derive the one or more KPI values can be identifiable on aper entity basis by referencing entity definitions that are aggregatedinto a service definition corresponding to the service whose performanceis reflected by the KPI.

The event processing system can access events with time stamps fallingwithin the time period specified by the time range, identify which ofthose events should be used (e.g., from the one or more entitydefinitions in the service definition for the service whose performanceis reflected by the KPI), produce the result (e.g., single value) usingthe identified events, and send the result to the computing machine. Thecomputing machine can receive the result and store the result in a datastore.

At block 4757, if the KPI widget style represents the respective KPIusing a set of values, the computing machine causes a set of values formultiple points in time in the time range to be produced. A spark linewidget style can represent a KPI using a set of values. Each value inthe set of values can represent an aggregate of data in a unit of timein the time range. For example, if the time range is “Last 15 minutes”,and the unit of time is one minute, then each value in the set of valuesis an aggregate of the data in one minute in the last 15 minutes.

If the search query that defines a respective KPI produces a singlevalue instead of a set of multiple values as required by the KPI widgetstyle (e.g., for the graph of the spark line widget), the computingmachine can modify the search query to produce the set of values (e.g.,for the graph of the spark line widget). The computing machine can causethe search query or modified search query to be executed to produce theset of values. The computing machine can send the search query ormodified search query to an event processing system. The eventprocessing system can access events with time stamps falling within thetime period specified by the time range, identify which of those eventsshould be used, produce the results (e.g., set of values) using theidentified events, and send the results to the computing machine. Thecomputing machine can store the results in a data store.

At block 4761, for each KPI, the computing machine generates the KPIwidget using the KPI widget style and the value or set of valuesproduced for the respective KPI. For example, if a KPI is beingrepresented by a spark line widget style, the computing machinegenerates the spark line widget using a set of values produced for theKPI to populate the graph in the spark line widget. The computingmachine also generates the value (e.g., value 4407 in spark line widget4400 in FIG. 44) for the spark line widget based on the dashboardtemplate. The dashboard template can store the selection of the type ofvalue that is to be represented in a spark line widget. For example, thevalue may represent the first data point in the graph, the last datapoint the graph, an average of all of the points in the graph, themaximum value from all of the points in the graph, or the mean of all ofthe points in the graph.

In addition, in some implementations, the computing machine can obtainKPI state information (e.g., from the service definition) specifying KPIstates, a range of values for each state, and a visual characteristic(e.g., color) associated with each state. The computing machine can thendetermine the current state of each KPI using the value or set of valuesproduced for the respective KPI, and the state information of therespective KPI. Based on the current state of the KPI, a specific visualcharacteristic (e.g., color) can be used for displaying the KPI widgetof the KPI, as discussed in more detail above.

At block 4763, the computing machine generates a service-monitoringdashboard with the KPI widgets for the KPIs using the dashboard templateand the KPI values produced by the respective search queries. In oneimplementation, the computing machine accesses a dashboard template thatis stored in a data store that includes information identifying the KPIsto be displayed in the service-monitoring dashboard. As discussed above,the dashboard template defines locations for placing the KPI widgets,and can also specify a background image over which the KPI widgets canbe placed.

At block 4765, the computing machine causes display of theservice-monitoring dashboard with the KPI widgets for the KPIs. Each KPIwidget provides a numerical and/or graphical representation of one ormore values for a corresponding KPI. Each KPI widget indicates how anaspect of the service is performing at one or more points in time. Forexample, each KPI widget can display a current KPI value, and indicatethe current state of the KPI using a visual characteristic associatedwith the current state. In one implementation, the service-monitoringdashboard is displayed in a viewing/investigation mode based on a userselection to view the service-monitoring dashboard is displayed in theviewing/investigation mode.

At block 4767, the computing machine optionally receives a request fordetailed information for one or more KPIs in the service-monitoringdashboard. The request can be received, for example, from a selection(e.g., user selection) of one or more KPI widgets in theservice-monitoring dashboard.

At block 4759, the computing machine causes display of the detailedinformation for the one or more KPIs. In one implementation, thecomputing machine causes the display of a deep dive visual interface,which includes detailed information for the one or more KPIs. A deepdive visual interface is described in greater detail below inconjunction with FIG. 50A.

The service-monitoring dashboard may allow a user to change a timerange. In response, the computing machine can send the search query andthe new time range to an event processing system. The event processingsystem can access events with time stamps falling within the time periodspecified by the new time range, identify which of those events shouldbe used, produce the result (e.g., one or more values) using theidentified events, and send the result to the computing machine. Thecomputing machine can then cause the service-monitoring dashboard to beupdated with new values and modified visual representations of the KPIwidgets.

FIG. 47B illustrates an example service-monitoring dashboard GUI 4700that is displayed based on the dashboard template, in accordance withone or more implementations of the present disclosure. GUI 4700 includesa user selected background image 4702 and one or more KPI widgets forone or more services that are displayed over the background image 4702.GUI 4700 can include other elements, such as, and not limited to text,boxes, connections, and widgets for ad hoc searches. Each KPI widgetprovides a numerical or graphical representation of one or more valuesfor a corresponding key performance indicator (KPI) indicating how anaspect of a respective service is performing at one or more points intime. For example, GUI 4700 includes a spark line widget 4718 which maybe for an aspect of Service-B, and a Noel gauge widget 4708 which may befor another aspect of Service-B. In some implementations, the appearanceof the widgets 4718 and 4708 (as well as other widgets in the GUI 4700)can reflect the current state of the respective KPI (e.g., based oncolor or other visual characteristic).

Each service is provided by one or more entities. Each entity isassociated with machine data. The machine data can include for example,and is not limited to, unstructured data, log data, and wire data. Themachine data that is associated with an entity can include datacollected from an API for software that monitors that entity. Themachine data used to derive the one or more values represented by a KPIis identifiable on a per entity basis by referencing entity definitionsthat are aggregated into a service definition corresponding to theservice whose performance is reflected by the KPI.

Each KPI is defined by a search query that derives the one or morevalues represented by the corresponding KPI widget from the machine dataassociated with the one or more entities that provide the service whoseperformance is reflected by the KPI. The search query for a KPI canderive the one or more values for the KPI it defines using alate-binding schema that it applies to machine data.

In one implementation, the GUI 4700 includes one or more search resultwidgets (e.g., widget 4712) displaying a value produced by a respectivesearch query, as specified by the dashboard template. For example,widget 4712 may represent the results of a search query producing astats count for a particular entity.

In one implementation, GUI 4700 facilitates user input for displayingdetailed information for one or more KPIs. A user can select one or moreKPI widgets to request detailed information for the KPIs represented bythe selected KPI widgets. The detailed information for each selected KPIcan include values for points in time during the period of time. Thedetailed information can be displayed via one or more deep dive visualinterfaces. A deep dive visual interface is described in greater detailbelow in conjunction with FIG. 50A.

Referring to FIG. 47, GUI 4700 facilitates user input for changing atime range. The machine data used by a search query to produce a valuefor a KPI is based on a time range. As described above in conjunctionwith FIG. 43, the time range can be a user-defined time range. Forexample, if the time range “Last 15 minutes” is selected, the last 15minutes would be an aggregation period for producing the value. GUI 4700can be updated with one or more KPI widgets that each represent one ormore values for a corresponding KPI indicating how a service provided isperforming at one or more points in time based on the change to the timerange.

FIG. 48 describes an example home page GUI 4800 for service-levelmonitoring, in accordance with one or more implementations of thepresent disclosure. GUI 4800 can include one or more tiles eachrepresenting a service-monitoring dashboard. The GUI 4800 can alsoinclude one or more tiles representing a service-related alarm, or thevalue of a particular KPI. In one implementation, a tile is a thumbnailimage of a service-monitoring dashboard. When a service-monitoringdashboard is created, a tile representing the service-monitoringdashboard can be displayed in the GUI 4800. GUI 4800 can facilitate userinput for selecting to view a service-monitoring dashboard. For example,a user may select a dashboard tile 4805, and GUI 4700 in FIG. 47 can bedisplayed in response to the selection. GUI 4800 can include tilesrepresenting the most recently accessed dashboards, and user selectedfavorites of dashboards.

FIG. 49 describes an example home page GUI 4900 for service-levelmonitoring, in accordance with one or more implementations of thepresent disclosure. GUI 4900 can include one or more tiles representinga deep dive. In one implementation, a tile is a thumbnail image of adeep dive. When a deep dive is created, a tile representing the deepdive can be displayed in the GUI 4900. GUI 4900 can facilitate userinput for selecting to view a deep dive. For example, a user may selecta deep dive tile 4907, and the visual interface 5300 in FIG. 55 can bedisplayed in response to the selection. GUI 4900 can include tilesrepresenting the most recently accessed deep dives, and user selectedfavorites of deep dives.

Example Deep Dive

Implementations of the present disclosure provide a GUI that providesin-depth information about multiple KPIs of the same service ordifferent services. This GUI referred to herein as a deep dive displaystime-based graphical visualizations corresponding to the multiple KPIsto allow a user to visually correlate the KPIs over a defined period oftime.

FIG. 50A is a flow diagram of an implementation of a method for creatinga visual interface displaying graphical visualizations of KPI valuesalong time-based graph lanes, in accordance with one or moreimplementations of the present disclosure. The method may be performedby processing logic that may comprise hardware (circuitry, dedicatedlogic, etc.), software (such as is run on a general purpose computersystem or a dedicated machine), or a combination of both. In oneimplementation, the method 5000 is performed by a client computingmachine. In another implementation, the method 5000 is performed by aserver computing machine coupled to the client computing machine overone or more networks.

At block 5001, the computing machine receives a selection of KPIs thateach indicates a different aspect of how a service (e.g., a web hostingservice, an email service, a database service) provided by one or moreentities (e.g., host machines, virtual machines, switches, firewalls,routers, sensors, etc.) is performing. As discussed above, each of theseentities produces machine data or has its operation reflected in machinedata not produced by that entity (e.g., machine data collected from anAPI for software that monitors that entity while running on anotherentity). Each KPI is defined by a different search query that derivesone or more values from the machine data pertaining to the entitiesproviding the service. Each of the derived values is associated with apoint in time and represents the aspect of how the service is performingat the associated point in time. In one implementation, the KPIs areselected by a user using GUIs described below in connection with FIGS.51, 52 and 57-63.

At block 5003, the computing machine derives the value(s) for each ofthe selected KPIs from the machine data pertaining to the entitiesproviding the service. In one implementation, the computing machineexecutes a search query of a respective KPI to derive the value(s) forthat KPI from the machine data.

At block 5005, the computing machine causes display of a graphicalvisualization of the derived KPI values along a time-based graph lanefor each of the selected KPIs. In one implementation, the graph lanesfor the selected KPIs are parallel to each other and the graphicalvisualizations in the graph lanes are all calibrated to the same timescale. In one implementation, the graphical visualizations are displayedin the visual interfaces described below in connection with FIGS. 53-56and 64A-70.

FIG. 50B is a flow diagram of an implementation of a method forgenerating a graphical visualization of KPI values along a time-basedgraph lane, in accordance with one or more implementations of thepresent disclosure.

At block 5011, the computing machine receives a request to create agraph for a KPI. Depending on the implementation, the request can bemade by a user from service-monitoring dashboard GUI 4700 or from a GUI5100 for creating a visual interface, as described below with respect toFIG. 51. At block 5013, the computing machine displays the availableservices that are being monitored, and at block 5015, receives aselection of one of the available services. At block 5017, the computingmachine displays the KPIs associated with the selected service, and atblock 5019, receives a selection of one of the associated KPIs. In oneimplementation, the KPIs are selected by a user using GUIs describedbelow in connection with FIGS. 51, 52 and 57-63. At block 5021, thecomputing machine uses a service definition of the selected service toidentify a search query corresponding to the selected KPI. At block5023, the computing machine determines if there are more KPI graphs tocreate. If the user desires to create additional graphs, the methodreturns to block 5013 and repeats the operations of blocks 5013-5021 foreach additional graph.

If there are no more KPI graphs to create, at block 5025, the computingmachine identifies a time range. The time range can be defined based ona user input, which can include, e.g., identification of a relative timeor absolute time, perhaps entered through user interface controls. Thetime range can include a portion (or all) of a time period, where thetime period corresponds to one used to indicate which values of the KPIto retrieve from a data store. In one implementation, the time range isselected by a user using GUIs described below in connection with FIGS.54 and 63. At block 5027, the computing device creates a time axisreflecting the identified time range. The time axis may run parallel toat least one graph lane in the create visual interface and may includean indication of the amount of time represented by a time scale for thevisual interface (e.g., “Viewport: 1 h 1 m” indicating that thegraphical visualizations in the graph lanes display KPI values for atime range of one hour and one minute).

At block 5029, the computing device executes the search querycorresponding to each KPI and stores the resulting KPI dataset valuesfor the selected time range. At block 5031, the computing devicedetermines the maximum and minimum values of the KPI for the selectedtime range and at block 5033 creates a graph lane in the visualinterface for each KPI using the maximum and minimum values as theheight of the lane. In one implementation, a vertical scale for eachlane may be automatically selected using the maximum and minimum KPIvalues during the current time range, such that the maximum valueappears at or near the top of the lane and the minimum value appears ator near the bottom of the lane. The intermediate values between themaximum and minimum may be scaled accordingly.

At block 5035, the computing device creates a graphical visualizationfor each lane using the KPI values during the selected time period andselected visual characteristics. In one implementation, the KPI valuesare plotted over the time range in a time-based graph lane. Thegraphical visualization may be generated according to an identifiedgraph type and graph color, as well as any other identified visualcharacteristics. At block 5037, the computing device calibrates thegraphical visualizations to a same time scale, such that the graphicalvisualization in each lane of the visual interface represents KPI dataover the same period of time.

Blocks 5025-5037 can be repeated for a new time range. Such repetitioncan occur, e.g., after detecting an input corresponding to anidentification of a new time range. The generation of a new graphicalvisualization can include modification of an existing graphicalvisualization.

FIG. 51 illustrates an example GUI 5100 for creating a visual interfacedisplaying graphical visualizations of KPI values along time-based graphlanes, in accordance with one or more implementations of the presentdisclosure. The GUI 5100 can receive user input for a number of inputfields 5102, 5104 and selection of selection buttons 5106. For example,input field 5102 can receive a title for the visual interface beingcreated. Input field 5104 may receive a description of the visualinterface. The input to input fields 5102 and 5104 may be optional inone implementation, such that it is not absolutely required for creationof the visual interface. Input to fields 5102 and 5104 may be helpful,however, in identifying the visual interface once it is created. In oneimplementation, if a title is not received in input fields 5102 and5104, the computing machine may assign a default title to the createdvisual interface. Selection buttons 5106 may receive input pertaining toan access permission for the visual interface being created. In oneimplementation, the user may select an access permission of either“Private,” indicating that the visual interface being created will notbe accessible to any other users of the system instead being reservedfor private use by the user, or “Shared,” indicating that once created,the visual interface will be accessible to other users of the system.Upon, the optional entering of title and description into fields 5102and 5104 and the selection of an access permission using buttons 5106,the selection of button 5108 may initiate creation of the visualinterface. In one implementation, in addition to “Private” or “Shared”there may be additional or intermediate levels of access permissions.For example, certain individuals or groups of individuals may be grantedaccess or denied access to a given visual interface. There may be a rolebased access control system where individuals assigned to a certain roleare granted access or denied access.

FIG. 52 illustrates an example GUI 5200 for adding a graphicalvisualization of KPI values along a time-based graph lane to a visualinterface, in accordance with one or more implementations of the presentdisclosure. In one implementation, in response to the creation of avisual interface using GUI 5100, the system presents GUI 5200 in orderto add graphical visualizations to the visual interface. The graphicalvisualizations correspond to KPIs and are displayed along a time-basedgraph lane in the visual interface.

In one example, GUI 5200 can receive user input for a number of inputfields 5202, 5204, 5212, selections from drop down menus 5206, 5208,and/or selection of selection buttons 5210 or link 5214. For example,input field 5202 can receive a title for the graphical visualizationbeing added. Input field 5204 may receive a subtitle or description ofthe graphical visualization. The input to input fields 5202 and 5204 maybe optional in one implementation, such that it is not absolutelyrequired for addition of the graphical visualization. Input to fields5202 and 5204 may be helpful, however, in identifying the graphicalvisualization once it is added to the visual interface. In oneimplementation, if a title is not received in input fields 5202 or 5204,the computing machine may assign a default title to the graphicalvisualization being added.

Drop down menu 5206 can be used to receive a selection of a graph style,and drop down menu 5208 can be used to receive a selection of a graphcolor for the graphical visualization being added. Additional detailswith respect to selection of the graph style and the graph color for thegraphical visualization are described below in connection with FIGS. 57and 58.

Selection buttons 5210 may receive input pertaining to a search sourcefor the graphical visualization being added. In one implementation, theuser may select search source of “Ad Hoc,” “Data Model” or “KPI.”Additional details with respect to selection of the search source forthe graphical visualization are described below in connection with FIGS.57, 59 and 60. Input field 5212 may receive a user-input search query ordisplay a search query associated with the selected search source 5210.Selection of link 5214 may indicate that the user wants to execute thesearch query in input field 5212. When a search query is executed, thesearch query can produce one or more values that satisfy the searchcriteria for the search query. Upon the entering of data and theselection menu items, the selection of button 5216 may initiate theaddition of the graphical visualization to the visual interface.

FIG. 53 illustrates an example of a visual interface 5300 withtime-based graph lanes for displaying graphical visualizations, inaccordance with one or more implementations of the present disclosure.In one example, the visual interface 5300 includes three time-basedgraph lanes 5302, 5304, 5306. These graph lanes may correspond to thegraphical visualizations of KPI values added to the visual interfaceusing GUI 5200 as described above. Each of the graph lanes 5302, 5304,5306 can display a graphical visualization for corresponding KPI valuesover a time range. Initially the lanes 5302, 5304, 5306 may not includethe graphical visualizations until a time range is selected using dropdown menu 5308. Additional details with respect to selection of the timerange from drop down menu 5308 are described below in connection withFIG. 63. In another implementation, a default time range may beautomatically selected and the graphical visualizations may be displayedin lanes 5302, 5304, 5306.

FIG. 54 illustrates an example of a visual interface 5300 displayinggraphical visualizations of KPI values along time-based graph lanes, inaccordance with one or more implementations of the present disclosure.In one implementation, each of the time-based graph lanes 5302, 5304,5306 include a visual representation of corresponding KPI values. Thevisual representations in each lane may be of different graph stylesand/or colors or have the same graph styles and/or colors. For example,lane 5302 includes a bar chart, lane 5304 includes a line graph and lane5306 includes a bar chart. The graph type and graph color of the visualrepresentation in each lane may be selected using GUI 5200, as describedabove. Depending on the implementation, the KPIs represented by thegraphical visualizations may correspond to different services or maycorrespond to the same service. In one implementation, multiple of theKPIs may correspond to the same service, while one or more other KPIsmay correspond to a different service.

The graphical visualizations in each lane 5302, 5304, 5306 can all becalibrated to the same time scale. That is, each graphical visualizationcorresponds to a different KPI reflecting how a service is performingover a given time range. The time range can be reflected by a time axis5410 for the graphical visualizations that runs parallel to at least onegraph lane. The time axis 5410 may include an indication of the amountof time represented by the time scale (e.g., “Viewport: 1 h 1 m”indicating that the graphical visualizations in graph lanes 5302, 5304,5306 display KPI values for a time range of one hour and one minute),and an indication of the actual time of day represented by the timescale (e.g., “12:30, 12:45, 01 PM, 01:15”). In one implementation, a barrunning parallel to the time lanes including the indication of theamount of time represented by the time scale (e.g., “Viewport: 1 h 1 m”)is highlighted for an entire length of time axis 5410 to indicate thatthe current portion of the time range being viewed includes the entiretime range. In other implementations, when only a subset of the timerange is being viewed, the bar may be highlighted for a proportionalsubset of the length of time axis 5410 and only in a location along timeaxis 5410 corresponding to the subset. In one implementation, at least aportion of the time axis 5410 is displayed both above and below thegraph lanes 5302, 5304, 5306. In one implementation, an indicatorassociated with drop down menu 5308 also indicates the selected timerange (e.g., “Last 60 minutes”) for the graphical visualizations.

In one implementation, when one of graph lanes 5302, 5304, 5306 isselected (e.g., by hovering the cursor over the lane), a grab handle5412 is displayed in association with the selected lane 5302. When userinteraction with grab handle 5412 is detected (e.g., by click and holdof a mouse button), the graph lanes may be re-ordered in visualinterface 5300. For example, a user may use grab handle 5412 to movelane 5302 to a different location in visual interface 5300 with respectto the other lanes 5304, 5306, such as between lanes 5304 and 5306 orbelow lanes 5304 and 5306. When another lane is selected, acorresponding grab handle may be displayed for the selected lane andused to detect an interaction of a user indicative of an instruction tore-order the graph lanes. In one implementation, a grab handle 5412 isonly displayed when the corresponding lane 5302 is selected, and hiddenfrom view when the lane is not selected.

While the horizontal axis of each lane is scaled according to theselected time range, and may be the same for each of the lanes 5302,5304, 5306, a scale for the vertical axis of each lane may be determinedindividually. In one implementation, a scale for the vertical axis ofeach lane may be automatically selected such that the graphicalvisualization spans most or all of a width/height of the lane. In oneimplementation, the scale may be determined using the maximum andminimum values reflected by the graphical visualization for thecorresponding KPI during the current time range, such that the maximumvalue appears at or near the top of the lane and the minimum valueappears at or near the bottom of the lane. The intermediate valuesbetween the maximum and minimum may be scaled accordingly. In oneimplementation, a search query associated with the KPI is executed for aselected period of time. The results of the query return a dataset ofKPI values, as shown in FIG. 45. The maximum and minimum values fromthis dataset can be determined and used to scale the graphicalvisualization so that most or all of the lane is utilized to display thegraphical visualization.

FIG. 55A illustrates an example of a visual interface 5300 with a usermanipulable visual indicator 5514 spanning across the time-based graphlanes, in accordance with one or more implementations of the presentdisclosure. Visual indicator 5514, also referred to herein as a “laneinspector,” may include, for example, a line or other indicator thatspans vertically across the graph lanes 5302, 5304, 5306 at a givenpoint in time along time axis 5410. The visual indicator 5514 may beuser manipulable such that it may be moved along time axis 5410 todifferent points. For example, visual indicator 5514 may slide back andforth along the lengths of graph lanes 5302, 5304, 5306 and time axis5410 in response to user input received with a mouse, touchpad,touchscreen, etc.

In one implementation, visual indicator 5514 includes a display of thepoint in time at which it is currently located. In the illustratedexample, the time associated with visual indicator 5514 is “12:44:43PM.” In one implementation, visual indicator 5514 further includes adisplay of a value reflected in each of the graphical visualizations forthe different KPIs at the current point in time illustrated by visualindicator 5514. In the illustrated example, the value of the graphicalvisualization in lane 5302 is “3.65,” the value of the graphicalvisualization in lane 5304 is “60,” and the value of the graphicalvisualization in lane 5306 is “0.” In one implementation, units for thevalues of the KPIs are not displayed. In another implementation, unitsfor the values of the KPIs are displayed. In one implementation, whenone of lanes 5302, 5304, 5306 is selected (e.g., by hovering the cursorover the lane) a maximum and a minimum values reflected by the graphicalvisualization for a corresponding KPI during the current time range aredisplayed adjacent to visual indicator 5514. For example, in lane 5304,a maximum value of “200” is displayed and a minimum value of “0” isdisplayed adjacent to visual indicator 5514. This indicates that thehighest value of the KPI corresponding to the graphical visualization inlane 5304 during the time period represented by time axis 5410 is “200”and the lowest value during the same time period is “0.” In otherimplementations, the maximum and minimum values may be displayed for alllanes, regardless of whether they are selected, or may not be displayedfor any lanes.

In one implementation, visual interface 5300 may include an indicationwhen the values for a KPI reach one of the predefined KPI thresholds. Asdiscussed above, during the creation of a KPI, the user may define oneor more states for the KPI. The states may have corresponding visualcharacteristics such as colors (e.g., red, yellow, green). In oneimplementation, the graph color of the graphical visualization maycorrespond to the color defined for the various states. For example, ifthe graphical visualization is a line graph, the line may have differentcolors for values representing different states of the KPI. In anotherimplementation, the current value of a selected lane displayed by visualindicator 5514 may change color to correspond to the colors defined forthe various states of the KPI. In another implementation, the values ofall lanes displayed by visual indicator 5514 may change color based onthe state, regardless of which lane is currently selected. In anotherimplementation, there may be a line or bar running parallel to at leastone of lanes 5302, 5304, 5306 that is colored according to the colorsdefined for the various KPI states when the value of the correspondingKPI reaches or passes a defined threshold causing the KPI to changestates. In yet another implementation, there may be horizontal linesrunning along the length of at least one lane to indicate where thethresholds defining different KPI states are located on the verticalaxis of the lane. In other implementations, the thresholds may beindicated in visual interface 5300 in some other manner.

FIG. 55B is a flow diagram of an implementation of a method forinspecting graphical visualizations of KPI values along a time-basedgraph lane, in accordance with one or more implementations of thepresent disclosure. At block 5501, the computing machine determines apoint in time corresponding to the current position of lane inspector5514. The lane inspector 5514 may be user manipulable such that it maybe moved along time axis 5410 to different points in time. For each KPIdataset represented by a graphical visualization in the visualinterface, at block 5503, the computing machine determines a KPI valuecorresponding to the determined point in time. In addition, at block5505, the computing machine determines a state of the KPI at thedetermined point in time, based on the determined value and the definedKPI thresholds. The determine state may include, for example, a criticalstate, a warning state, a normal state, etc. At block 5507, thecomputing device determines the visual characteristics of the determinedstate, such as a color (e.g., red, yellow, green) associated with thedetermined state.

At block 5509, the computing machine displays the determined valueadjacent to lane inspector 5514 for each of the graphical visualizationsin the visual interface. In the example illustrated in FIG. 55A, thevalue of the graphical visualization in lane 5302 is “3.65,” the valueof the graphical visualization in lane 5304 is “60,” and the value ofthe graphical visualization in lane 5306 is “0.” If the lane inspector5514 is moved to a new position representing a different time, theoperations at blocks 5501-5509 may be repeated.

At block 5511, the computing machine receives a selection of one of thelanes or graphical visualizations within a lane in the visual interface.In one implementation, one of graph lanes 5302, 5304, 5306 is selectedby hovering the cursor over the lane. At block 5513, the computingmachine determines the maximum and minimum values of the KPI datasetassociated with the selected lane. In one implementation, a search queryassociated with the KPI is executed for a selected period of time. Theresults of the query return a dataset of KPI values, as shown in FIG.45. The maximum and minimum values from this dataset can be determined.At block 5515, the computing machine displays the maximum and minimumvalues adjacent to lane inspector 5515. For example, in lane 5304, amaximum value of “200” is displayed and a minimum value of “0” isdisplayed adjacent to lane inspector 5514.

FIG. 56 illustrates an example of a visual interface 5300 displayinggraphical visualizations of KPI values along time-based graph lanes withoptions for editing the graphical visualizations, in accordance with oneor more implementations of the present disclosure. In oneimplementation, when one of graph lanes 5302, 5304, 5306 is selected(e.g., by hovering the cursor over the lane), a GUI element such as agear icon 5616 is displayed in association with the selected lane 5306.When user interaction with gear icon 5616 is detected, a drop down menu5618 may be displayed. Drop down menu 5618 may include one or more userselectable options including, for example, “Edit Lane,” “Delete Lane,”“Open in Search,” or other options. Selection of one of these optionsmay cause display of a graphical interface to allow the user to edit thegraphical visualization in the associated lane 5306, delete the lane5306 from the visual interface 5300, or display the underlying data(e.g., events, machine data) from which the KPI values of the associatedgraphical visualization are derived. Additional details with respect toediting the graphical visualization are described below in connectionwith FIG. 57. When another lane is selected, a corresponding gear icon,or other indicator, may be displayed for the selected lane. In oneimplementation, a gear icon 5616 is only displayed when thecorresponding lane 5306 is selected, and hidden from view when the laneis not selected.

FIG. 57 illustrates an example of a GUI 5700 for editing a graphicalvisualization of KPI values along a time-based graph lane in a visualinterface, in accordance with one or more implementations of the presentdisclosure. In one implementation, in response to the selection of the“Edit Lane” option in drop down menu 5618, the system presents GUI 5700in order to edit the corresponding graphical visualization.

In one implementation, GUI 5700 can receive user input for a number ofinput fields 5702, 5704, 5712, selections from drop down menus 5706,5708, or selection of selection buttons 5710 or link 5714. In oneimplementation, input field 5702 can be used to edit the title for thegraphical visualization. Input field 5204 may be used to edit thesubtitle or description of the graphical visualization. In oneimplementation drop down menu 5706 can be used to edit the graph style,and drop down menu 5708 can be used to edit the graph color for thegraphical visualization. For example, upon selection of drop down menu5708, a number of available colors may be displayed for selection by theuser. Upon selection of a color, the corresponding graphicalvisualization may be displayed in the selected color. In oneimplementation, no two graphical visualizations in the same visualinterface may have the same color. Accordingly, the available colorsdisplayed for selection may not include any colors already used forother graphical visualizations. In one implementation, the color of agraphical visualization may be determined automatically according to thecolors associated with defined thresholds for the corresponding KPI. Insuch an implementation, the user may not be allowed to edit the graphcolor in drop down menu 5708.

Selection buttons 5710 may be used to edit a search source for thegraphical visualization. In the illustrated implementation, an “Ad Hoc”search source has been selected. In response, an input field 5712 maydisplay a user-input search query. The search query may include searchcriteria (e.g., keywords, field/value pairs) that produce a dataset or asearch result of events or other data that satisfy the search criteria.In one implementation, a user may edit the search query by makingchanges, additions, or deletions, to the search query displayed in inputfield 5712. The Ad Hoc search query may be executed to generate adataset of values that can be plotted over the time range as a graphicalvisualization (e.g., as shown in visual interface 5300). Selection oflink 5714 may indicate that the user wants to execute the search queryin input field 5712. Upon the editing of data and/or the selection menuitems, the selection of button 5716 may indicate that the editing of thegraphical visualization is complete.

FIG. 58 illustrates an example of a GUI 5700 for editing a graph styleof a graphical visualization of KPI values along a time-based graph lanein a visual interface, in accordance with one or more implementations ofthe present disclosure. In one implementation, drop down menu 5706 canbe used to edit the graph style of the graphical visualization. Forexample, upon selection of drop down menu 5706, a list 5806 of availablegraph types may be displayed for selection by the user. In oneimplementation, the available graph types include a line graph, an areagraph, or a column graph. In other implementations, additional graphtypes may include a bar cart, a plot graph, a bubble chart, a heat map,or other graph types. Upon selection of a graph type, the correspondinggraphical visualization may be displayed in the selected graph type. Inone implementation, each graphical visualization on the visual interfacehas the same graph type. Accordingly, when the graph type of onegraphical visualization is changed, the graph type of each remaininggraphical visualization in the visual interface is automatically changedto the same graph type. In another implementation, each graphicalvisualization in the visual interface may have a different graph type.In one implementation, the graph type of a graphical visualization maybe determined automatically based on the corresponding KPI or service.In such an implementation, the user may not be allowed to edit the graphtype in drop down menu 5706.

FIG. 59 illustrates an example of a GUI 5700 for selecting the KPIcorresponding to a graphical visualization along a time-based graph lanein a visual interface, in accordance with one or more implementations ofthe present disclosure. In one implementation, selection buttons 5710may be used to edit a search source for the graphical visualization. Inthe illustrated implementation, the “KPI” search source has beenselected. In response, drop down menus 5912, 5914 and input field 5916may be displayed. Drop down menu 5912 may be used to select a service,the performance of which will be represented by the graphicalvisualization. Upon selection, drop down menu 5912 may display a list ofavailable services. Drop down menu 5914 may be used to select the KPIthat indicates an aspect of how the selected service is performing. Uponselection, drop down menu 5914 may display a list of available KPIs.Input field 5916 may display a search query corresponding to theselected KPI. The search query may derive one or more values frommachine data pertaining to one or more entities providing a service. Inone implementation, a user may edit the search query by making changes,additions, or deletions, to the search displayed in input field 5916.Selection of link 5918 may indicate that the user wants to execute thesearch query in input field 5916.

FIG. 60 illustrates an example of a GUI 5700 for selecting a data modelcorresponding to a graphical visualization along a time-based graph lanein a visual interface, in accordance with one or more implementations ofthe present disclosure. In one implementation, selection buttons 5710may be used to edit a search source for the graphical visualization. Inthe illustrated implementation, the “Data Model” search source has beenselected. In response, drop down menus 6012, 6014 and input fields 6016,6018 may be displayed. Drop down menu 6012 may be used to select a datamodel on which the graphical visualization will be based. Uponselection, drop down menu 6012 may display a list of available datamodels. Additional details with respect to selection of a data model aredescribed below in connection with FIG. 61. Drop down menu 6014 may beused to select a statistical function for the data model. Uponselection, drop down menu 6014 may display a list of availablefunctions. Additional details with respect to selection of a data modelfunction are described below in connection with FIG. 62. Input field6016 may display a “Where clause” that can be used to further refine thesearch associated with the selected data model and displayed in inputfield 6018. The where clause may include, for example the WHERE commandfollowed by a key/value pair (e.g., WHERE host=Vulcan). In oneimplementation, “host” is a field name and “Vulcan” is a value stored inthe field “host.” The WHERE command may further filter the results ofthe search query associated with the selected data model to only returndata that is associated with the host name “Vulcan.” As a result, thesearch can filter results based on a particular entity or entities thatprovide a service. In one implementation, a user may also edit thesearch query by making changes, additions, or deletions, to the searchdisplayed in input field 6018. The data model search query may beexecuted to generate a dataset of values that can be plotted over thetime range as a graphical visualization (e.g., as shown in visualinterface 5300). Selection of link 6020 may indicate that the user wantsto execute the search query in input field 6018.

FIG. 61 illustrates an example of a GUI 6100 for selecting a data modelcorresponding to a graphical visualization along a time-based graph lanein a visual interface, in accordance with one or more implementations ofthe present disclosure. In one implementation, upon selection of dropdown menu 6012, GUI 6100 is displayed. GUI 6100 allows for the selectionand configuration of a data model to be used as the search source forthe graphical visualization. In GUI 6100, a user may select an existingdata model from drop down menu 6102. Additionally, a user may select oneof objects 6104 of the data model. In one implementation, an object is asearch that defines one or more events. The data model may be a groupingof objects that are related. Furthermore, a user may select one of thefields 6106 to derive one or more values for the graph. Additionaldetails regarding data models are provided below.

FIG. 62 illustrates an example of a GUI 5700 for editing a statisticalfunction for a data model corresponding to a graphical visualizationalong a time-based graph lane in a visual interface, in accordance withone or more implementations of the present disclosure. In oneimplementation, drop down menu 6014 may be used to select statisticalfunction for the data model. For example, upon selection of drop downmenu 6014, a list 6214 of available statistical functions may bedisplayed for selection by the user. In one implementation, theavailable statistical functions include average, count, distinct count,maximum, minimum, sum, standard deviation, median or other operations.The selected statistical function may be used to produce one or morevalues for display as the graphical visualization. In oneimplementation, the available statistical functions may be dependent onthe data type of the selected field from fields 6106 in GUI 6100. Forexample, when the selected field has a numerical data type, any of theabove listed statistical functions may be available. When the selectedfield has a string data type, however, the only available operations maybe count and distinct count, as the arithmetic operations cannot beperformed on a string data type. In one implementation, the statisticalfunction may be determined automatically based on the corresponding datamodel. In such an implementation, the user may not be allowed to editthe statistical function in drop down menu 5214.

FIG. 63 illustrates an example of a GUI 6300 for selecting a time rangethat graphical visualizations along a time-based graph lane in a visualinterface should cover, in accordance with one or more implementationsof the present disclosure. In one implementation, drop down menu 5308may be used to select a time range for the graphical visualizations inthe visual interface 5300 of FIG. 53. For example, upon selection ofdrop down menu 5308, a GUI 6300 for selection of the time range may bedisplayed. In one implementation, the time range selection options mayinclude a real-time period 6302, a relative time period 6304 or someother time period 6306. For real-time execution, the time range formachine data can be a real-time period 6302 (e.g., 30-second window,1-minute window, 1-hour window, etc.) from the execution time (e.g.,each time the query is executed, the events with timestamps within thespecified time window from the query execution time will be used). Inreal-time execution, a search query associated with the KPI may becontinually executed (or periodically executed at a relatively shortperiod (e.g., 1 second)) to continually show a graphical visualizationreflecting KPI values from the last one hour (or other real-time period)of time. Thus, if the 1 hour window initially covers from 12 pm to 1 pm,at 1:30, the 1 hour window may cover from 12:30 pm to 1:30 pm. In otherwords, the time period may be considered a rolling time period, as itconstantly changes as time moves forward. For relative execution, therelative time period 6304 can be historical (e.g., yesterday, previousweek, etc.) or based on a specified time window from the request time orscheduled time (e.g., last 15 minutes, last 4 hours, etc.). For example,the historical time range “Yesterday” can be selected for relativeexecution. In another example, the window time range “Last 15 minutes”can be selected for relative execution. In relative execution, thesearch query associated with the KPI may only be executed upon a requestfor updated values from the user. Thus, if the 1 hour window covers from12 pm to 1 pm, that time period will not change until the user requestsan update, at which point the most recent 1 hour of values will bedisplayed. In one implementation, the other time period may include, forexample, all of the time where KPI values are available for thecorresponding service. Additional time range options may allow the userto specify a particular date or time range over which the KPI values areto be displayed as graphical visualizations.

FIG. 64A illustrates an example of a visual interface 5300 for selectinga subset of a time range that graphical visualizations along atime-based graph lane in a visual interface cover, in accordance withone or more implementations of the present disclosure. In oneimplementation, visual indicator 5514 may be used to select a subset6402 of the time range represented by time axis 5410, and thecorresponding portions of the graphical visualizations in lanes 5302,5304, 5306. In one implementation, a user may use a mouse or otherpointing device to position visual indicator 5514 at a starting positionalong time axis 5410, then click and drag to select the desired subset6402. In one embodiment, the selected subset 6402 is shown as shaded inthe visual interface 5300. In another implementation, all areas exceptthe selected subset 6402 are shown as shaded. The selection of subset6402 may be an indication that the user wishes to more closely inspectthe KPI values of the graphical visualizations during the time periodrepresented by the subset 6402. As a result, in response to theselection, the subset 6402 may be emphasized, enlarged, or zoomed inupon to allow closer inspection.

FIG. 64B is a flow diagram of an implementation of a method forenhancing a view of a subset a subset of a time range for a time-basedgraph lane, in accordance with one or more implementations of thepresent disclosure. At block 6401, the computing device determines a newtime range based on the positions of lane inspector 5514. In oneimplementation, lane inspector 5514 may be used to select a subset 6402of the time range represented by time axis 5410, and the correspondingportions of the graphical visualizations in lanes 5302, 5304, 5306. Atblock 6403, the computing device identifies a subset of values of eachKPI that correspond to the new time range. In one embodiment, each valuein the KPI dataset may have a corresponding time value or timestamp.Thus, the computing device can filter the dataset to identify valueswith a timestamp included in the selected subset of the time range.

At block 6405, the computing device determines the maximum and minimumvalues in the selected subset of values for each KPI, and at block 6407adjusts the time axis of the lanes in the graphical visualization toreflect the new time range. In one implementation, the subset 6402 isexpanded to fill the entire length or nearly the entire length of graphlanes 5302, 5304, 5306. The horizontal axis of each lane may be scaledaccording to the selected subset 6402. At block 6409, the computingdevice adjusts the height of the lanes based on the new maximum andminimum values. In one implementation, the vertical axis of each lane isscaled according to the maximum and minimum values reflected by thegraphical visualization for a corresponding KPI during the selectedsubset 6402. At block 6411, the computing device modifies the graphsbased on the subsets of values and calibrates the graphs to the sametime scale based on the new time range. Additional details are describedwith respect to FIG. 65.

FIG. 65 illustrates an example of a visual interface displayinggraphical visualizations of KPI values along time-based graph lanes fora selected subset of a time range, in accordance with one or moreimplementations of the present disclosure. In response to the selectionof subset 6402 using visual indicator 5514, the system may recalculatethe time range that the graphical visualizations in graph lanes 5302,5304, 5306 should cover. In one implementation, the subset 6402 isexpanded to fill the entire length or nearly the entire length of graphlanes 5302, 5304, 5306. The horizontal axis of each lane is scaledaccording to the selected subset 6402 and the vertical axis of each laneis scaled according to the maximum and minimum values reflected by thegraphical visualization for a corresponding KPI during the selectedsubset 6402. In one implementation, the maximum value appears at or nearthe top of the lane and the minimum value appears at or near the bottomof the lane. The intermediate values between the maximum and minimum maybe scaled accordingly.

In one implementation, time access 5410 is updated according to theselected subset 6402. The time axis 5410 may include an indication ofthe amount of time represented by the time scale (e.g., “Viewport: 5 m”indicating that the graphical visualizations in graph lanes 5302, 5304,5306 display KPI values for a time range of five minutes), and anindication of the actual time of day represented by the original timescale (e.g., “12:30, 12:45, 01 PM, 01:15”). In one implementation, a barrunning parallel to the time lanes including the indication of theamount of time represented by the time scale (e.g., “Viewport: 1 h 1 m”)is highlighted for a proportional subset of the length of time axis 5410and only in a location along time axis 5410 corresponding to the subset.In the illustrated embodiment, the highlighted portion of the horizontalbar indicates that the selected subset 6402 occurs sometime between “01PM” and “01:15.” In one implementation, at least a portion of the timeaxis 5410 is displayed above the graph lanes 5302, 5304, 5306 as well.This portion of the time axis indicates the actual time of dayrepresented by the selected subset 6402 (e.g., “01:05, 01:06, 01:07,01:08, 01:09”). In one implementation, a user may return to theun-zoomed view of the original time period by clicking thenon-highlighted portion of the horizontal bar in the time axis 5410.

FIG. 66 illustrates an example of a visual interface 5300 displayingtwin graphical visualizations of KPI values along time-based graph lanesfor different periods of time, in accordance with one or moreimplementations of the present disclosure. In one implementation, eachof graph lanes 5302, 5304, 5306 has a corresponding twin lane 6602,6604, 6606. The twin lanes 6602, 6604, 6606 may display a secondgraphical visualization in parallel with the first graphicalvisualization in graph lanes 5302, 5304, 5306. The KPI values reflectedin the second graphical visualization may correspond to the same KPI (orother search source) for a different period of time than the valuesreflected in the first graphical visualization. In one implementation, auser may add the twin lanes 6602, 6604, 6606 by selecting drop down menu6608. In one implementation, drop down menu 6608 can be used to selectthe period of time for the values reflected in the second graphicalvisualizations. For example, upon selection of drop down menu 6608, alist 6610 of available time periods may be displayed for selection bythe user. In one implementation, the available time periods may includeperiods of time in the past when KPI data is available for one or moreof the graphical visualizations. In one implementation, a twin lane maybe created for each of the lanes in the visual interface, and a searchquery of each KPI can be executed using the specified time range toproduce one or more time values for the second graphical visualizationof a corresponding KPI. Because the new time range is associated with adifferent point(s) in time, the machine data or events used by thesearch query for the second graphical visualization will be differentthan the machine data that was used by the search query for the originalgraphical visualization, and therefore the values produced for thesecond graphical visualization are likely to be different from thevalues that were produced for the original graphical visualization. Inanother implementation, a twin lane may be created only for one or moreselected lanes in the visual interface, and only search queries of thoseKPIs can be executed. In one implementation, if past KPI data is notavailable for the selected time range, no second graphical visualizationmay be displayed in the twin lane 6606.

FIG. 67 illustrates an example of a visual interface with a usermanipulable visual indicator 5514 spanning across twin graphicalvisualizations of KPI values along time-based graph lanes for differentperiods of time, in accordance with one or more implementations of thepresent disclosure. Visual indicator 5514, also referred to herein as a“lane inspector,” may include, for example, a line or other indicatorthat spans across the graph lanes 5302, 6602, 5304, 6604, 5306, 6606 ata given point in time along time axis 5410. The visual indicator 5514may be user manipulable such that it may be moved along time axis 5410to different points. For example, visual indicator 5514 may slide backand forth along the lengths of graph lanes and time axis 5410 inresponse to user input received with a mouse, touchpad, touchscreen,etc.

In one implementation, visual indicator 5514 includes a display of thepoint in time at which it is currently located both in original lanes5302, 5304, 5306 and twin lanes 6602, 6604, 6606. In the illustratedexample, the times associated with visual indicator 5514 are “ThuSeptember 4 01:35:34 PM” for the original lanes and “Wed September 301:35:34 PM” for the twin lanes. Thus, the twin lanes show values of thesame KPI from the same time range on the previous day. In oneimplementation, visual indicator 5514 further includes a display of avalue reflected in each of the graphical visualizations for thedifferent KPIs at the point in time corresponding to the position ofvisual indicator 5514. In the illustrated example, the value of thegraphical visualization in lane 5302 is “0,” the value of the graphicalvisualization in lane 6302 is “1.52,” the value of the graphicalvisualization in lane 5304 is “36,” the value of the graphicalvisualization in lane 6304 is “31,” the value of the graphicalvisualization in lane 5306 is “0,” and lane 6306 has no data available.In one implementation, the graphical visualizations in twin lanes 6302,6304, 6306 have the same graph type and a similar graph color as thegraphical visualizations in the corresponding graph lanes 5302, 5304,5306. In another implementation, the second graphical visualizations areconfigurable such that the user can adjust the graph type and the graphcolor. In one implementation, rather than being displayed in twinparallel lanes, the second graphical visualizations may be overlaid ontop of the original graphical visualizations.

FIG. 68 illustrates an example of a visual interface 5300 displaying agraph lane 6806 with inventory information for a service or entitiesreflected by KPI values, in accordance with one or more implementationsof the present disclosure. In one implementation, an additional lane6806 is displayed in parallel to at least one of graph lanes 6802 and6804. Graph lanes 6802 and 6804 may be similar to graph lanes 5302,5304, 5306 described above, such that they may display graphicalvisualizations of corresponding KPI values. Additional lane 6806,however, may be a different type of lane, which does not displaygraphical visualizations. In one implementation, additional lane 6806may display inventory information for the service or for the one or moreentities providing the service reflected by the KPI corresponding to thegraphical visualization in the adjacent lane 6804. The additional lane6806 may include textual information, or other non-graphicalinformation. The inventory information may include information about theservice or the entities providing the service, such as an identifier ofthe entities (e.g., a host name, server name), a location of theentities (e.g., rack number, data center name), etc. In oneimplementation, the inventory information displayed in lane 6806 may bepopulated from information provided during the entity definitionprocess. In one embodiment, the inventory information displayed inadditional lane 6806 may change according to the position of visualindicator 5514 along time axis 5410. When the inventory information istime stamped, or otherwise is associated with a time value, theinventory information may be different at different points in time.Accordingly, in one implementation, the inventory information availableat the time associated with the position of visual indicator 5514 may bedisplayed in additional lane 6806. In one implementation, additionallane 6806 may be continually associated with an adjacent lane 6804, suchthat if the lanes in visual interface 5300 are reordered, additionallane 6806 remains adjacent to lane 6804 despite the reordering.

FIG. 69 illustrates an example of a visual interface 5300 displaying agraph lane with notable events occurring during a timer period coveredby graphical visualization of KPI values, in accordance with one or moreimplementations of the present disclosure. In one implementation, anadditional lane 6908 is displayed in parallel to at least one of graphlanes 6902, 6904, 6906. Graph lanes 6902, 6904, 6906 may be similar tograph lanes 5302, 5304, 5306 described above, such that they may displaygraphical visualizations of corresponding KPI values. Additional lane6908, however, may be a different type of lane designed to displayindications of the occurrences of notable events. “Notable events” aresystem occurrences that may be likely to indicate a security threat oroperational problem. These notable events can be detected in a number ofways: (1) an analyst can notice a correlation in the data and canmanually identify a corresponding group of one or more events as“notable;” or (2) an analyst can define a “correlation search”specifying criteria for a notable event, and every time one or moreevents satisfy the criteria, the application can indicate that the oneor more events are notable. An analyst can alternatively select apre-defined correlation search provided by the application. Note thatcorrelation searches can be run continuously or at regular intervals(e.g., every hour) to search for notable events. Upon detection, notableevents can be stored in a dedicated “notable events index,” which can besubsequently accessed to generate various visualizations containingsecurity-related information.

In one implementation, the notable events occurring during the period oftime represented by time axis 5410 are displayed as flags 6910 orbubbles in a bubble chart in additional lane 6908. The flags 6910 may belocated at a position along time axis 5410 corresponding to when thenotable event occurred. In one implementation, the flags 6910 may becolor coded to vindicate the severity or importance of the notableevent. In one implementation, when one of the flags 6910 is selected(e.g., by clicking on the flag or hovering the cursor over the flag), adescription of the notable event may be displayed. As illustrated inFIG. 69, the description 6912 may be displayed in a horizontal bar alongthe bottom of lane 6908. In another implementation, as illustrated inFIG. 70, the description 7012 may be displayed adjacent to the selectedflag 6910. In one implementation, user-manipulable visual indicator 5514may be used to select a particular flag 6910. For example, when visualindicator 5514 is slid along the length of lane 6908, a description 7012of a corresponding notable event at the same time may be displayed.

In some implementations, search queries for KPIs and correlationsearches can derive values using a late binding schema that the searchqueries apply to machine data. Late binding schema is described ingreater detail below. The systems and methods described herein above maybe employed by various data processing systems, e.g., data aggregationand analysis systems. In various illustrative examples, the dataprocessing system may be represented by the SPLUNK® ENTERPRISE systemproduced by Splunk Inc. of San Francisco, Calif., to store and processperformance data.

1.1 Overview

Modern data centers often comprise thousands of host computer systemsthat operate collectively to service requests from even larger numbersof remote clients. During operation, these data centers generatesignificant volumes of performance data and diagnostic information thatcan be analyzed to quickly diagnose performance problems. In order toreduce the size of this performance data, the data is typicallypre-processed prior to being stored based on anticipated data-analysisneeds. For example, pre-specified data items can be extracted from theperformance data and stored in a database to facilitate efficientretrieval and analysis at search time. However, the rest of theperformance data is not saved and is essentially discarded duringpre-processing. As storage capacity becomes progressively cheaper andmore plentiful, there are fewer incentives to discard this performancedata and many reasons to keep it.

This plentiful storage capacity is presently making it feasible to storemassive quantities of minimally processed performance data at “ingestiontime” for later retrieval and analysis at “search time.” Note thatperforming the analysis operations at search time provides greaterflexibility because it enables an analyst to search all of theperformance data, instead of searching pre-specified data items thatwere stored at ingestion time. This enables the analyst to investigatedifferent implementations of the performance data instead of beingconfined to the pre-specified set of data items that were selected atingestion time.

However, analyzing massive quantities of heterogeneous performance dataat search time can be a challenging task. A data center may generateheterogeneous performance data from thousands of different components,which can collectively generate tremendous volumes of performance datathat can be time-consuming to analyze. For example, this performancedata can include data from system logs, network packet data, sensordata, and data generated by various applications. Also, the unstructurednature of much of this performance data can pose additional challengesbecause of the difficulty of applying semantic meaning to unstructureddata, and the difficulty of indexing and querying unstructured datausing traditional database systems.

These challenges can be addressed by using an event-based system, suchas the SPLUNK® ENTERPRISE system produced by Splunk Inc. of SanFrancisco, Calif., to store and process performance data. The SPLUNK®ENTERPRISE system is the leading platform for providing real-timeoperational intelligence that enables organizations to collect, index,and harness machine-generated data from various web sites, applications,servers, networks, and mobile devices that power their businesses. TheSPLUNK® ENTERPRISE system is particularly useful for analyzingunstructured performance data, which is commonly found in system logfiles. Although many of the techniques described herein are explainedwith reference to the SPLUNK® ENTERPRISE system, the techniques are alsoapplicable to other types of data server systems.

In the SPLUNK® ENTERPRISE system, performance data is stored as“events,” wherein each event comprises a collection of performance dataand/or diagnostic information that is generated by a computer system andis correlated with a specific point in time. Events can be derived from“time series data,” wherein time series data comprises a sequence ofdata points (e.g., performance measurements from a computer system) thatare associated with successive points in time and are typically spacedat uniform time intervals. Events can also be derived from “structured”or “unstructured” data. Structured data has a predefined format, whereinspecific data items with specific data formats reside at predefinedlocations in the data. For example, structured data can include dataitems stored in fields in a database table. In contrast, unstructureddata does not have a predefined format. This means that unstructureddata can comprise various data items having different data types thatcan reside at different locations. For example, when the data source isan operating system log, an event can include one or more lines from theoperating system log containing raw data that includes different typesof performance and diagnostic information associated with a specificpoint in time. Examples of data sources from which an event may bederived include, but are not limited to: web servers; applicationservers; databases; firewalls; routers; operating systems; and softwareapplications that execute on computer systems, mobile devices, andsensors. The data generated by such data sources can be produced invarious forms including, for example and without limitation, server logfiles, activity log files, configuration files, messages, network packetdata, performance measurements and sensor measurements. An eventtypically includes a timestamp that may be derived from the raw data inthe event, or may be determined through interpolation between temporallyproximate events having known timestamps.

The SPLUNK® ENTERPRISE system also facilitates using a flexible schemato specify how to extract information from the event data, wherein theflexible schema may be developed and redefined as needed. Note that aflexible schema may be applied to event data “on the fly,” when it isneeded (e.g., at search time), rather than at ingestion time of the dataas in traditional database systems. Because the schema is not applied toevent data until it is needed (e.g., at search time), it is referred toas a “late-binding schema.”

During operation, the SPLUNK® ENTERPRISE system starts with raw data,which can include unstructured data, machine data, performancemeasurements or other time-series data, such as data obtained fromweblogs, syslogs, or sensor readings. It divides this raw data into“portions,” and optionally transforms the data to produce timestampedevents. The system stores the timestamped events in a data store, andenables a user to run queries against the data store to retrieve eventsthat meet specified criteria, such as containing certain keywords orhaving specific values in defined fields. Note that the term “field”refers to a location in the event data containing a value for a specificdata item.

As noted above, the SPLUNK® ENTERPRISE system facilitates using alate-binding schema while performing queries on events. A late-bindingschema specifies “extraction rules” that are applied to data in theevents to extract values for specific fields. More specifically, theextraction rules for a field can include one or more instructions thatspecify how to extract a value for the field from the event data. Anextraction rule can generally include any type of instruction forextracting values from data in events. In some cases, an extraction rulecomprises a regular expression, in which case the rule is referred to asa “regex rule.”

In contrast to a conventional schema for a database system, alate-binding schema is not defined at data ingestion time. Instead, thelate-binding schema can be developed on an ongoing basis until the timea query is actually executed. This means that extraction rules for thefields in a query may be provided in the query itself, or may be locatedduring execution of the query. Hence, as an analyst learns more aboutthe data in the events, the analyst can continue to refine thelate-binding schema by adding new fields, deleting fields, or changingthe field extraction rules until the next time the schema is used by aquery. Because the SPLUNK® ENTERPRISE system maintains the underlyingraw data and provides a late-binding schema for searching the raw data,it enables an analyst to investigate questions that arise as the analystlearns more about the events.

In the SPLUNK® ENTERPRISE system, a field extractor may be configured toautomatically generate extraction rules for certain fields in the eventswhen the events are being created, indexed, or stored, or possibly at alater time. Alternatively, a user may manually define extraction rulesfor fields using a variety of techniques.

Also, a number of “default fields” that specify metadata about theevents rather than data in the events themselves can be createdautomatically. For example, such default fields can specify: a timestampfor the event data; a host from which the event data originated; asource of the event data; and a source type for the event data. Thesedefault fields may be determined automatically when the events arecreated, indexed or stored.

In some embodiments, a common field name may be used to reference two ormore fields containing equivalent data items, even though the fields maybe associated with different types of events that possibly havedifferent data formats and different extraction rules. By enabling acommon field name to be used to identify equivalent fields fromdifferent types of events generated by different data sources, thesystem facilitates use of a “common information model” (CIM) across thedifferent data sources.

1.2 Data Server System

FIG. 71 presents a block diagram of an exemplary event-processing system7100, similar to the SPLUNK® ENTERPRISE system. System 7100 includes oneor more forwarders 7101 that collect data obtained from a variety ofdifferent data sources 7105, and one or more indexers 7102 that store,process, and/or perform operations on this data, wherein each indexeroperates on data contained in a specific data store 7103. Theseforwarders and indexers can comprise separate computer systems in a datacenter, or may alternatively comprise separate processes executing onvarious computer systems in a data center.

During operation, the forwarders 7101 identify which indexers 7102 willreceive the collected data and then forward the data to the identifiedindexers. Forwarders 7101 can also perform operations to strip outextraneous data and detect timestamps in the data. The forwarders nextdetermine which indexers 7102 will receive each data item and thenforward the data items to the determined indexers 7102.

Note that distributing data across different indexers facilitatesparallel processing. This parallel processing can take place at dataingestion time, because multiple indexers can process the incoming datain parallel. The parallel processing can also take place at search time,because multiple indexers can search through the data in parallel.

System 7100 and the processes described below with respect to FIGS. 71-5are further described in “Exploring Splunk Search Processing Language(SPL) Primer and Cookbook” by David Carasso, CITO Research, 2012, and in“Optimizing Data Analysis With a Semi-Structured Time Series Database”by Ledion Bitincka, Archana Ganapathi, Stephen Sorkin, and Steve Zhang,SLAML, 2010, each of which is hereby incorporated herein by reference inits entirety for all purposes.

1.3 Data Ingestion

FIG. 72 presents a flowchart illustrating how an indexer processes,indexes, and stores data received from forwarders in accordance with thedisclosed embodiments. At block 7201, the indexer receives the data fromthe forwarder. Next, at block 7202, the indexer apportions the data intoevents. Note that the data can include lines of text that are separatedby carriage returns or line breaks and an event may include one or moreof these lines. During the apportioning process, the indexer can useheuristic rules to automatically determine the boundaries of the events,which for example coincide with line boundaries. These heuristic rulesmay be determined based on the source of the data, wherein the indexercan be explicitly informed about the source of the data or can infer thesource of the data by examining the data. These heuristic rules caninclude regular expression-based rules or delimiter-based rules fordetermining event boundaries, wherein the event boundaries may beindicated by predefined characters or character strings. Thesepredefined characters may include punctuation marks or other specialcharacters including, for example, carriage returns, tabs, spaces orline breaks. In some cases, a user can fine-tune or configure the rulesthat the indexers use to determine event boundaries in order to adaptthe rules to the user's specific requirements.

Next, the indexer determines a timestamp for each event at block 7203.As mentioned above, these timestamps can be determined by extracting thetime directly from data in the event, or by interpolating the time basedon timestamps from temporally proximate events. In some cases, atimestamp can be determined based on the time the data was received orgenerated. The indexer subsequently associates the determined timestampwith each event at block 7204, for example by storing the timestamp asmetadata for each event.

Then, the system can apply transformations to data to be included inevents at block 7205. For log data, such transformations can includeremoving a portion of an event (e.g., a portion used to define eventboundaries, extraneous text, characters, etc.) or removing redundantportions of an event. Note that a user can specify portions to beremoved using a regular expression or any other possible technique.

Next, a keyword index can optionally be generated to facilitate fastkeyword searching for events. To build a keyword index, the indexerfirst identifies a set of keywords in block 7206. Then, at block 7207the indexer includes the identified keywords in an index, whichassociates each stored keyword with references to events containing thatkeyword (or to locations within events where that keyword is located).When an indexer subsequently receives a keyword-based query, the indexercan access the keyword index to quickly identify events containing thekeyword.

In some embodiments, the keyword index may include entries forname-value pairs found in events, wherein a name-value pair can includea pair of keywords connected by a symbol, such as an equals sign orcolon. In this way, events containing these name-value pairs can bequickly located. In some embodiments, fields can automatically begenerated for some or all of the name-value pairs at the time ofindexing. For example, if the string “dest=10.0.1.2” is found in anevent, a field named “dest” may be created for the event, and assigned avalue of “10.0.1.2.”

Finally, the indexer stores the events in a data store at block 7208,wherein a timestamp can be stored with each event to facilitatesearching for events based on a time range. In some cases, the storedevents are organized into a plurality of buckets, wherein each bucketstores events associated with a specific time range. This not onlyimproves time-based searches, but it also allows events with recenttimestamps that may have a higher likelihood of being accessed to bestored in faster memory to facilitate faster retrieval. For example, abucket containing the most recent events can be stored as flash memoryinstead of on hard disk.

Each indexer 7102 is responsible for storing and searching a subset ofthe events contained in a corresponding data store 7103. By distributingevents among the indexers and data stores, the indexers can analyzeevents for a query in parallel, for example using map-reduce techniques,wherein each indexer returns partial responses for a subset of events toa search head that combines the results to produce an answer for thequery. By storing events in buckets for specific time ranges, an indexermay further optimize searching by looking only in buckets for timeranges that are relevant to a query.

Moreover, events and buckets can also be replicated across differentindexers and data stores to facilitate high availability and disasterrecovery as is described in U.S. patent application Ser. No. 14/266,812filed on 30 Apr. 2014, and in U.S. application patent Ser. No.14/266,817 also filed on 30 Apr. 2014.

1.4 Query Processing

FIG. 73 presents a flowchart illustrating how a search head and indexersperform a search query in accordance with the disclosed embodiments. Atthe start of this process, a search head receives a search query from aclient at block 7301. Next, at block 7302, the search head analyzes thesearch query to determine what portions can be delegated to indexers andwhat portions need to be executed locally by the search head. At block7303, the search head distributes the determined portions of the queryto the indexers. Note that commands that operate on single events can betrivially delegated to the indexers, while commands that involve eventsfrom multiple indexers are harder to delegate.

Then, at block 7304, the indexers to which the query was distributedsearch their data stores for events that are responsive to the query. Todetermine which events are responsive to the query, the indexer searchesfor events that match the criteria specified in the query. This criteriacan include matching keywords or specific values for certain fields. Ina query that uses a late-binding schema, the searching operations inblock 7304 may involve using the late-binding scheme to extract valuesfor specified fields from events at the time the query is processed.Next, the indexers can either send the relevant events back to thesearch head, or use the events to calculate a partial result, and sendthe partial result back to the search head.

Finally, at block 7305, the search head combines the partial resultsand/or events received from the indexers to produce a final result forthe query. This final result can comprise different types of datadepending upon what the query is asking for. For example, the finalresults can include a listing of matching events returned by the query,or some type of visualization of data from the returned events. Inanother example, the final result can include one or more calculatedvalues derived from the matching events.

Moreover, the results generated by system 7100 can be returned to aclient using different techniques. For example, one technique streamsresults back to a client in real-time as they are identified. Anothertechnique waits to report results to the client until a complete set ofresults is ready to return to the client. Yet another technique streamsinterim results back to the client in real-time until a complete set ofresults is ready, and then returns the complete set of results to theclient. In another technique, certain results are stored as “searchjobs,” and the client may subsequently retrieve the results byreferencing the search jobs.

The search head can also perform various operations to make the searchmore efficient. For example, before the search head starts executing aquery, the search head can determine a time range for the query and aset of common keywords that all matching events must include. Next, thesearch head can use these parameters to query the indexers to obtain asuperset of the eventual results. Then, during a filtering stage, thesearch head can perform field-extraction operations on the superset toproduce a reduced set of search results.

1.5 Field Extraction

FIG. 74A presents a block diagram illustrating how fields can beextracted during query processing in accordance with the disclosedembodiments. At the start of this process, a search query 7402 isreceived at a query processor 7404. Query processor 7404 includesvarious mechanisms for processing a query, wherein these mechanisms canreside in a search head 7104 and/or an indexer 7102. Note that theexemplary search query 7402 illustrated in FIG. 74A is expressed inSearch Processing Language (SPL), which is used in conjunction with theSPLUNK® ENTERPRISE system. SPL is a pipelined search language in which aset of inputs is operated on by a first command in a command line, andthen a subsequent command following the pipe symbol “|” operates on theresults produced by the first command, and so on for additionalcommands. Search query 7402 can also be expressed in other querylanguages, such as the Structured Query Language (“SQL”) or any suitablequery language.

Upon receiving search query 7402, query processor 7404 sees that searchquery 7402 includes two fields “IP” and “target.” Query processor 7404also determines that the values for the “IP” and “target” fields havenot already been extracted from events in data store 7414, andconsequently determines that query processor 7404 needs to useextraction rules to extract values for the fields. Hence, queryprocessor 7404 performs a lookup for the extraction rules in a rule base7406, wherein rule base 7406 maps field names to correspondingextraction rules and obtains extraction rules 7408-7409, whereinextraction rule 7408 specifies how to extract a value for the “IP” fieldfrom an event, and extraction rule 7409 specifies how to extract a valuefor the “target” field from an event. As is illustrated in FIG. 74A,extraction rules 7408-7409 can comprise regular expressions that specifyhow to extract values for the relevant fields. Suchregular-expression-based extraction rules are also referred to as “regexrules.” In addition to specifying how to extract field values, theextraction rules may also include instructions for deriving a fieldvalue by performing a function on a character string or value retrievedby the extraction rule. For example, a transformation rule may truncatea character string, or convert the character string into a differentdata format. In some cases, the query itself can specify one or moreextraction rules.

Next, query processor 7404 sends extraction rules 7408-7409 to a fieldextractor 7412, which applies extraction rules 7408-7409 to events7416-7418 in a data store 7414. Note that data store 7414 can includeone or more data stores, and extraction rules 7408-7409 can be appliedto large numbers of events in data store 7414, and are not meant to belimited to the three events 7416-7418 illustrated in FIG. 74A. Moreover,the query processor 7404 can instruct field extractor 7412 to apply theextraction rules to all the events in a data store 7414, or to a subsetof the events that have been filtered based on some criteria.

Next, field extractor 7412 applies extraction rule 7408 for the firstcommand “Search IP=“10*” to events in data store 7414 including events7416-7418. Extraction rule 7408 is used to extract values for the IPaddress field from events in data store 7414 by looking for a pattern ofone or more digits, followed by a period, followed again by one or moredigits, followed by another period, followed again by one or moredigits, followed by another period, and followed again by one or moredigits. Next, field extractor 7412 returns field values 7420 to queryprocessor 7404, which uses the criterion IP=“10*” to look for IPaddresses that start with “10”. Note that events 7416 and 7417 matchthis criterion, but event 7418 does not, so the result set for the firstcommand is events 7416-7417.

Query processor 7404 then sends events 7416-717 to the next command“stats count target.” To process this command, query processor 7404causes field extractor 7412 to apply extraction rule 7409 to events7416-7417. Extraction rule 7409 is used to extract values for the targetfield for events 7416-7417 by skipping the first four commas in events7416-7417, and then extracting all of the following characters until acomma or period is reached. Next, field extractor 7412 returns fieldvalues 7421 to query processor 7404, which executes the command “statscount target” to count the number of unique values contained in thetarget fields, which in this example produces the value “2” that isreturned as a final result 7422 for the query.

Note that query results can be returned to a client, a search head, orany other system component for further processing. In general, queryresults may include: a set of one or more events; a set of one or morevalues obtained from the events; a subset of the values; statisticscalculated based on the values; a report containing the values; or avisualization, such as a graph or chart, generated from the values.

1.5.1 Data Models

Creating queries requires knowledge of the fields that are included inthe events being searched, as well as knowledge of the query processinglanguage used for the queries. While a data analyst may possess domainunderstanding of underlying data and knowledge of the query processinglanguage, an end user responsible for creating reports at a company(e.g., a marketing specialist) may not have such expertise. In order toassist end users, implementations of the event-processing systemdescribed herein provide data models that simplify the creation ofreports and other visualizations.

A data model encapsulates semantic knowledge about certain events. Adata model can be composed of one or more objects grouped in ahierarchical manner. In general, the objects included in a data modelmay be related to each other in some way. In particular, a data modelcan include a root object and, optionally, one or more child objectsthat can be linked (either directly or indirectly) to the root object. Aroot object can be defined by search criteria for a query to produce acertain set of events, and a set of fields that can be exposed tooperate on those events. A root object can be a parent of one or morechild objects, and any of those child objects can optionally be a parentof one or more additional child objects. Each child object can inheritthe search criteria of its parent object and have additional searchcriteria to further filter out events represented by its parent object.Each child object may also include at least some of the fields of itsparent object and optionally additional fields specific to the childobject.

FIG. 74B illustrates an example data model structure 7428, in accordancewith some implementations. As shown, example data model “ButtercupGames” 7430 includes root object “Purchase Requests” 7432, and childobjects “Successful Purchases” 7434 and “Unsuccessful Purchases” 7436.

FIG. 74C illustrates an example definition 7440 of root object 7432 ofdata model 7430, in accordance with some implementations. As shown,definition 7440 of root object 7432 includes search criteria 7442 and aset of fields 7444. Search criteria 7442 require that a search queryproduce web access requests that qualify as purchase events. Fields 7444include inherited fields 7446 which are default fields that specifymetadata about the events of the root object 7432. In addition, fields7444 include extracted fields 7448, whose values can be automaticallyextracted from the events during search using extraction rules of thelate binding schema, and calculated fields 7450, whose values can beautomatically determined based on values of other fields extracted fromthe events. For example, the value of the productName field can bedetermined based on the value in the productID field (e.g., by searchinga lookup table for a product name matching the value of the productIDfield). In another example, the value of the price field can becalculated based on values of other fields (e.g., by multiplying theprice per unit by the number of units).

FIG. 74D illustrates example definitions 7458 and 7460 of child objects7434 and 7436 respectively, in accordance with some implementations.Definition 7458 of child object 7434 includes search criteria 7462 and aset of fields 7464. Search criteria 7462 inherits search criteria 7442of the parent object 7432 and includes an additional criterion of“status=200,” which indicates that the search query should produce webaccess requests that qualify as successful purchase events. Fields 7464consist of the fields inherited from the parent object 7432.

Definition 7460 of child object 7436 includes search criteria 7470 and aset of fields 7474. Search criteria 7470 inherits search criteria 7442of the parent object 7432 and includes an additional criterion of“status!=200,” which indicates that the search query should produce webaccess requests that qualify as unsuccessful purchase events. Fields7474 consist of the fields inherited from the parent object 7432. Asshown, child objects 7434 and 7436 include all the fields inherited fromthe parent object 7432. In other implementations, child objects may onlyinclude some of the fields of the parent object and/or may includeadditional fields that are not exposed by the parent object.

When creating a report, a user can select an object of a data model tofocus on the events represented by the selected object. The user canthen view the fields of the data object and request the event-processingsystem to structure the report based on those fields. For example, theuser can request the event-processing system to add some fields to thereport, to add calculations based on some fields to the report, to groupdata in the report based on some fields, etc. The user can also inputadditional constraints (e.g., specific values and/or mathematicalexpressions) for some of the fields to further filter out events onwhich the report should be focused.

1.6 Exemplary Search Screen

FIG. 76A illustrates an exemplary search screen 7600 in accordance withthe disclosed embodiments. Search screen 7600 includes a search bar 7602that accepts user input in the form of a search string. It also includesa time range picker 7612 that enables the user to specify a time rangefor the search. For “historical searches” the user can select a specifictime range, or alternatively a relative time range, such as “today,”“yesterday” or “last week.” For “real-time searches,” the user canselect the size of a preceding time window to search for real-timeevents. Search screen 7600 also initially displays a “data summary”dialog as is illustrated in FIG. 76B that enables the user to selectdifferent sources for the event data, for example by selecting specifichosts and log files.

After the search is executed, the search screen 7600 can display theresults through search results tabs 7604, wherein search results tabs7604 includes: an “events tab” that displays various information aboutevents returned by the search; a “statistics tab” that displaysstatistics about the search results; and a “visualization tab” thatdisplays various visualizations of the search results. The events tabillustrated in FIG. 76A displays a timeline graph 7605 that graphicallyillustrates the number of events that occurred in one-hour intervalsover the selected time range. It also displays an events list 7608 thatenables a user to view the raw data in each of the returned events. Itadditionally displays a fields sidebar 7606 that includes statisticsabout occurrences of specific fields in the returned events, including“selected fields” that are pre-selected by the user, and “interestingfields” that are automatically selected by the system based onpre-specified criteria.

1.7 Acceleration Techniques

The above-described system provides significant flexibility by enablinga user to analyze massive quantities of minimally processed performancedata “on the fly” at search time instead of storing pre-specifiedportions of the performance data in a database at ingestion time. Thisflexibility enables a user to see correlations in the performance dataand perform subsequent queries to examine interesting implementations ofthe performance data that may not have been apparent at ingestion time.

However, performing extraction and analysis operations at search timecan involve a large amount of data and require a large number ofcomputational operations, which can cause considerable delays whileprocessing the queries. Fortunately, a number of acceleration techniqueshave been developed to speed up analysis operations performed at searchtime. These techniques include: (1) performing search operations inparallel by formulating a search as a map-reduce computation; (2) usinga keyword index; (3) using a high performance analytics store; and (4)accelerating the process of generating reports. These techniques aredescribed in more detail below.

1.7.1 Map-Reduce Technique

To facilitate faster query processing, a query can be structured as amap-reduce computation, wherein the “map” operations are delegated tothe indexers, while the corresponding “reduce” operations are performedlocally at the search head. For example, FIG. 75 illustrates how asearch query 7501 received from a client at search head 7104 can splitinto two phases, including: (1) a “map phase” comprising subtasks 7502(e.g., data retrieval or simple filtering) that may be performed inparallel and are “mapped” to indexers 7102 for execution, and (2) a“reduce phase” comprising a merging operation 7503 to be executed by thesearch head when the results are ultimately collected from the indexers.

During operation, upon receiving search query 7501, search head 7104modifies search query 7501 by substituting “stats” with “prestats” toproduce search query 7502, and then distributes search query 7502 to oneor more distributed indexers, which are also referred to as “searchpeers.” Note that search queries may generally specify search criteriaor operations to be performed on events that meet the search criteria.Search queries may also specify field names, as well as search criteriafor the values in the fields or operations to be performed on the valuesin the fields. Moreover, the search head may distribute the full searchquery to the search peers as is illustrated in FIG. 73, or mayalternatively distribute a modified version (e.g., a more restrictedversion) of the search query to the search peers. In this example, theindexers are responsible for producing the results and sending them tothe search head. After the indexers return the results to the searchhead, the search head performs the merging operations 7503 on theresults. Note that by executing the computation in this way, the systemeffectively distributes the computational operations while minimizingdata transfers.

1.7.2 Keyword Index

As described above with reference to the flow charts in FIGS. 72 and 73,event-processing system 7100 can construct and maintain one or morekeyword indices to facilitate rapidly identifying events containingspecific keywords. This can greatly speed up the processing of queriesinvolving specific keywords. As mentioned above, to build a keywordindex, an indexer first identifies a set of keywords. Then, the indexerincludes the identified keywords in an index, which associates eachstored keyword with references to events containing that keyword, or tolocations within events where that keyword is located. When an indexersubsequently receives a keyword-based query, the indexer can access thekeyword index to quickly identify events containing the keyword.

1.7.3 High Performance Analytics Store

To speed up certain types of queries, some embodiments of system 7100make use of a high performance analytics store, which is referred to asa “summarization table,” that contains entries for specific field-valuepairs. Each of these entries keeps track of instances of a specificvalue in a specific field in the event data and includes references toevents containing the specific value in the specific field. For example,an exemplary entry in a summarization table can keep track ofoccurrences of the value “94107” in a “ZIP code” field of a set ofevents, wherein the entry includes references to all of the events thatcontain the value “94107” in the ZIP code field. This enables the systemto quickly process queries that seek to determine how many events have aparticular value for a particular field, because the system can examinethe entry in the summarization table to count instances of the specificvalue in the field without having to go through the individual events ordo extractions at search time. Also, if the system needs to process allevents that have a specific field-value combination, the system can usethe references in the summarization table entry to directly access theevents to extract further information without having to search all ofthe events to find the specific field-value combination at search time.

In some embodiments, the system maintains a separate summarization tablefor each of the above-described time-specific buckets that stores eventsfor a specific time range, wherein a bucket-specific summarization tableincludes entries for specific field-value combinations that occur inevents in the specific bucket. Alternatively, the system can maintain aseparate summarization table for each indexer, wherein theindexer-specific summarization table only includes entries for theevents in a data store that is managed by the specific indexer.

The summarization table can be populated by running a “collection query”that scans a set of events to find instances of a specific field-valuecombination, or alternatively instances of all field-value combinationsfor a specific field. A collection query can be initiated by a user, orcan be scheduled to occur automatically at specific time intervals. Acollection query can also be automatically launched in response to aquery that asks for a specific field-value combination.

In some cases, the summarization tables may not cover all of the eventsthat are relevant to a query. In this case, the system can use thesummarization tables to obtain partial results for the events that arecovered by summarization tables, but may also have to search throughother events that are not covered by the summarization tables to produceadditional results. These additional results can then be combined withthe partial results to produce a final set of results for the query.This summarization table and associated techniques are described in moredetail in U.S. Pat. No. 8,682,925, issued on Mar. 25, 2014.

1.7.4 Accelerating Report Generation

In some embodiments, a data server system such as the SPLUNK® ENTERPRISEsystem can accelerate the process of periodically generating updatedreports based on query results. To accelerate this process, asummarization engine automatically examines the query to determinewhether generation of updated reports can be accelerated by creatingintermediate summaries. (This is possible if results from preceding timeperiods can be computed separately and combined to generate an updatedreport. In some cases, it is not possible to combine such incrementalresults, for example where a value in the report depends onrelationships between events from different time periods.) If reportscan be accelerated, the summarization engine periodically generates asummary covering data obtained during a latest non-overlapping timeperiod. For example, where the query seeks events meeting a specifiedcriteria, a summary for the time period includes only events within thetime period that meet the specified criteria. Similarly, if the queryseeks statistics calculated from the events, such as the number ofevents that match the specified criteria, then the summary for the timeperiod includes the number of events in the period that match thespecified criteria.

In parallel with the creation of the summaries, the summarization engineschedules the periodic updating of the report associated with the query.During each scheduled report update, the query engine determines whetherintermediate summaries have been generated covering portions of the timeperiod covered by the report update. If so, then the report is generatedbased on the information contained in the summaries. Also, if additionalevent data has been received and has not yet been summarized, and isrequired to generate the complete report, the query can be run on thisadditional event data. Then, the results returned by this query on theadditional event data, along with the partial results obtained from theintermediate summaries, can be combined to generate the updated report.This process is repeated each time the report is updated. Alternatively,if the system stores events in buckets covering specific time ranges,then the summaries can be generated on a bucket-by-bucket basis. Notethat producing intermediate summaries can save the work involved inre-running the query for previous time periods, so only the newer eventdata needs to be processed while generating an updated report. Thesereport acceleration techniques are described in more detail in U.S. Pat.No. 8,589,403, issued on Nov. 19, 2013, and U.S. Pat. No. 8,412,696,issued on Apr. 2, 2011.

1.8 Security Features

The SPLUNK® ENTERPRISE platform provides various schemas, dashboards andvisualizations that make it easy for developers to create applicationsto provide additional capabilities. One such application is the SPLUNK®APP FOR ENTERPRISE SECURITY, which performs monitoring and alertingoperations and includes analytics to facilitate identifying both knownand unknown security threats based on large volumes of data stored bythe SPLUNK® ENTERPRISE system. This differs significantly fromconventional Security Information and Event Management (SIEM) systemsthat lack the infrastructure to effectively store and analyze largevolumes of security-related event data. Traditional SIEM systemstypically use fixed schemas to extract data from pre-definedsecurity-related fields at data ingestion time, wherein the extracteddata is typically stored in a relational database. This data extractionprocess (and associated reduction in data size) that occurs at dataingestion time inevitably hampers future incident investigations, whenall of the original data may be needed to determine the root cause of asecurity issue, or to detect the tiny fingerprints of an impendingsecurity threat.

In contrast, the SPLUNK® APP FOR ENTERPRISE SECURITY system stores largevolumes of minimally processed security-related data at ingestion timefor later retrieval and analysis at search time when a live securitythreat is being investigated. To facilitate this data retrieval process,the SPLUNK® APP FOR ENTERPRISE SECURITY provides pre-specified schemasfor extracting relevant values from the different types ofsecurity-related event data, and also enables a user to define suchschemas.

The SPLUNK® APP FOR ENTERPRISE SECURITY can process many types ofsecurity-related information. In general, this security-relatedinformation can include any information that can be used to identifysecurity threats. For example, the security-related information caninclude network-related information, such as IP addresses, domain names,asset identifiers, network traffic volume, uniform resource locatorstrings, and source addresses. (The process of detecting securitythreats for network-related information is further described in U.S.patent application Ser. No. 13/956,252, and Ser. No. 13/956,262.)Security-related information can also include endpoint information, suchas malware infection data and system configuration information, as wellas access control information, such as login/logout information andaccess failure notifications. The security-related information canoriginate from various sources within a data center, such as hosts,virtual machines, storage devices and sensors. The security-relatedinformation can also originate from various sources in a network, suchas routers, switches, email servers, proxy servers, gateways, firewallsand intrusion-detection systems.

During operation, the SPLUNK® APP FOR ENTERPRISE SECURITY facilitatesdetecting so-called “notable events” that are likely to indicate asecurity threat. These notable events can be detected in a number ofways: (1) an analyst can notice a correlation in the data and canmanually identify a corresponding group of one or more events as“notable;” or (2) an analyst can define a “correlation search”specifying criteria for a notable event, and every time one or moreevents satisfy the criteria, the application can indicate that the oneor more events are notable. An analyst can alternatively select apre-defined correlation search provided by the application. Note thatcorrelation searches can be run continuously or at regular intervals(e.g., every hour) to search for notable events. Upon detection, notableevents can be stored in a dedicated “notable events index,” which can besubsequently accessed to generate various visualizations containingsecurity-related information. Also, alerts can be generated to notifysystem operators when important notable events are discovered.

The SPLUNK® APP FOR ENTERPRISE SECURITY provides various visualizationsto aid in discovering security threats, such as a “key indicators view”that enables a user to view security metrics of interest, such as countsof different types of notable events. For example, FIG. 77A illustratesan exemplary key indicators view 7700 that comprises a dashboard, whichcan display a value 7701, for various security-related metrics, such asmalware infections 7702. It can also display a change in a metric value7703, which indicates that the number of malware infections increased by63 during the preceding interval. Key indicators view 7700 additionallydisplays a histogram panel 7704 that displays a histogram of notableevents organized by urgency values, and a histogram of notable eventsorganized by time intervals. This key indicators view is described infurther detail in pending U.S. patent application Ser. No. 13/956,338filed Jul. 31, 2013.

These visualizations can also include an “incident review dashboard”that enables a user to view and act on “notable events.” These notableevents can include: (1) a single event of high importance, such as anyactivity from a known web attacker; or (2) multiple events thatcollectively warrant review, such as a large number of authenticationfailures on a host followed by a successful authentication. For example,FIG. 77B illustrates an exemplary incident review dashboard 7710 thatincludes a set of incident attribute fields 7711 that, for example,enables a user to specify a time range field 7712 for the displayedevents. It also includes a timeline 7713 that graphically illustratesthe number of incidents that occurred in one-hour time intervals overthe selected time range. It additionally displays an events list 7714that enables a user to view a list of all of the notable events thatmatch the criteria in the incident attributes fields 7711. To facilitateidentifying patterns among the notable events, each notable event can beassociated with an urgency value (e.g., low, medium, high, critical),which is indicated in the incident review dashboard. The urgency valuefor a detected event can be determined based on the severity of theevent and the priority of the system component associated with theevent. The incident review dashboard is described further in“http://docs.splunk.com/Documentation/PCI/2.1.1/User/IncidentReviewdashboard.”

1.9 Data Center Monitoring

As mentioned above, the SPLUNK® ENTERPRISE platform provides variousfeatures that make it easy for developers to create variousapplications. One such application is the SPLUNK® APP FOR VMWARE®, whichperforms monitoring operations and includes analytics to facilitatediagnosing the root cause of performance problems in a data center basedon large volumes of data stored by the SPLUNK® ENTERPRISE system.

This differs from conventional data-center-monitoring systems that lackthe infrastructure to effectively store and analyze large volumes ofperformance information and log data obtained from the data center. Inconventional data-center-monitoring systems, this performance data istypically pre-processed prior to being stored, for example by extractingpre-specified data items from the performance data and storing them in adatabase to facilitate subsequent retrieval and analysis at search time.However, the rest of the performance data is not saved and isessentially discarded during pre-processing. In contrast, the SPLUNK®APP FOR VMWARE® stores large volumes of minimally processed performanceinformation and log data at ingestion time for later retrieval andanalysis at search time when a live performance issue is beinginvestigated.

The SPLUNK® APP FOR VMWARE® can process many types ofperformance-related information. In general, this performance-relatedinformation can include any type of performance-related data and logdata produced by virtual machines and host computer systems in a datacenter. In addition to data obtained from various log files, thisperformance-related information can include values for performancemetrics obtained through an application programming interface (API)provided as part of the vSphere Hypervisor™ system distributed byVMware, Inc. of Palo Alto, Calif. For example, these performance metricscan include: (1) CPU-related performance metrics; (2) disk-relatedperformance metrics; (3) memory-related performance metrics; (4)network-related performance metrics; (5) energy-usage statistics; (6)data-traffic-related performance metrics; (7) overall systemavailability performance metrics; (8) cluster-related performancemetrics; and (9) virtual machine performance statistics. For moredetails about such performance metrics, please see U.S. patent Ser. No.14/167,316 filed 29 Jan. 2014, which is hereby incorporated herein byreference. Also, see “vSphere Monitoring and Performance,” Update 1,vSphere 5.5, EN-001357-00,http://pubs.vmware.com/vsphere-55/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-551-monitoring-performance-guide.pdf.

To facilitate retrieving information of interest from performance dataand log files, the SPLUNK® APP FOR VMWARE® provides pre-specifiedschemas for extracting relevant values from different types ofperformance-related event data, and also enables a user to define suchschemas.

The SPLUNK® APP FOR VMWARE® additionally provides various visualizationsto facilitate detecting and diagnosing the root cause of performanceproblems. For example, one such visualization is a “proactive monitoringtree” that enables a user to easily view and understand relationshipsamong various factors that affect the performance of a hierarchicallystructured computing system. This proactive monitoring tree enables auser to easily navigate the hierarchy by selectively expanding nodesrepresenting various entities (e.g., virtual centers or computingclusters) to view performance information for lower-level nodesassociated with lower-level entities (e.g., virtual machines or hostsystems). Exemplary node-expansion operations are illustrated in FIG.77C, wherein nodes 7733 and 7734 are selectively expanded. Note thatnodes 7731-7739 can be displayed using different patterns or colors torepresent different performance states, such as a critical state, awarning state, a normal state or an unknown/offline state. The ease ofnavigation provided by selective expansion in combination with theassociated performance-state information enables a user to quicklydiagnose the root cause of a performance problem. The proactivemonitoring tree is described in further detail in U.S. patentapplication Ser. No. 14/235,490 filed on 15 Apr. 2014, which is herebyincorporated herein by reference for all possible purposes.

The SPLUNK® APP FOR VMWARE ® also provides a user interface that enablesa user to select a specific time range and then view heterogeneous data,comprising events, log data and associated performance metrics, for theselected time range. For example, the screen illustrated in FIG. 77Ddisplays a listing of recent “tasks and events” and a listing of recent“log entries” for a selected time range above a performance-metric graphfor “average CPU core utilization” for the selected time range. Notethat a user is able to operate pull-down menus 7742 to selectivelydisplay different performance metric graphs for the selected time range.This enables the user to correlate trends in the performance-metricgraph with corresponding event and log data to quickly determine theroot cause of a performance problem. This user interface is described inmore detail in U.S. patent application Ser. No. 14/167,316 filed on 29Jan. 2014, which is hereby incorporated herein by reference for allpossible purposes.

FIG. 78 illustrates a diagrammatic representation of a machine in theexemplary form of a computer system 7800 within which a set ofinstructions, for causing the machine to perform any one or more of themethodologies discussed herein, may be executed. The system 7800 may bein the form of a computer system within which a set of instructions, forcausing the machine to perform any one or more of the methodologiesdiscussed herein, may be executed. In alternative embodiments, themachine may be connected (e.g., networked) to other machines in a LAN,an intranet, an extranet, or the Internet. The machine may operate inthe capacity of a server machine in client-server network environment.The machine may be a personal computer (PC), a set-top box (STB), aserver, a network router, switch or bridge, or any machine capable ofexecuting a set of instructions (sequential or otherwise) that specifyactions to be taken by that machine. Further, while only a singlemachine is illustrated, the term “machine” shall also be taken toinclude any collection of machines that individually or jointly executea set (or multiple sets) of instructions to perform any one or more ofthe methodologies discussed herein. In one embodiment, computer system7800 may represent system 210 of FIG. 2.

The exemplary computer system 7800 includes a processing device(processor) 7802, a main memory 7804 (e.g., read-only memory (ROM),flash memory, dynamic random access memory (DRAM) such as synchronousDRAM (SDRAM)), a static memory 7806 (e.g., flash memory, static randomaccess memory (SRAM)), and a data storage device 7818, which communicatewith each other via a bus 7830.

Processing device 7802 represents one or more general-purpose processingdevices such as a microprocessor, central processing unit, or the like.More particularly, the processing device 7802 may be a complexinstruction set computing (CISC) microprocessor, reduced instruction setcomputing (RISC) microprocessor, very long instruction word (VLIW)microprocessor, or a processor implementing other instruction sets orprocessors implementing a combination of instruction sets. Theprocessing device 7802 may also be one or more special-purposeprocessing devices such as an application specific integrated circuit(ASIC), a field programmable gate array (FPGA), a digital signalprocessor (DSP), network processor, or the like. The processing device7802 is configured to execute the notification manager 210 forperforming the operations and steps discussed herein.

The computer system 7800 may further include a network interface device7808. The computer system 7800 also may include a video display unit7810 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)),an alphanumeric input device 7812 (e.g., a keyboard), a cursor controldevice 7814 (e.g., a mouse), and a signal generation device 7816 (e.g.,a speaker).

The data storage device 7818 may include a computer-readable medium 7828on which is stored one or more sets of instructions 7822 (e.g.,instructions for search term generation) embodying any one or more ofthe methodologies or functions described herein. The instructions 7822may also reside, completely or at least partially, within the mainmemory 7804 and/or within processing logic 7826 of the processing device7802 during execution thereof by the computer system 7800, the mainmemory 7804 and the processing device 7802 also constitutingcomputer-readable media. The instructions may further be transmitted orreceived over a network 7820 via the network interface device 7808.

While the computer-readable storage medium 7828 is shown in an exemplaryembodiment to be a single medium, the term “computer-readable storagemedium” should be taken to include a single medium or multiple media(e.g., a centralized or distributed database, and/or associated cachesand servers) that store the one or more sets of instructions. The term“computer-readable storage medium” shall also be taken to include anymedium that is capable of storing, encoding or carrying a set ofinstructions for execution by the machine and that cause the machine toperform any one or more of the methodologies of the present invention.The term “computer-readable storage medium” shall accordingly be takento include, but not be limited to, solid-state memories, optical media,and magnetic media.

The preceding description sets forth numerous specific details such asexamples of specific systems, components, methods, and so forth, inorder to provide a good understanding of several embodiments of thepresent invention. It will be apparent to one skilled in the art,however, that at least some embodiments of the present invention may bepracticed without these specific details. In other instances, well-knowncomponents or methods are not described in detail or are presented insimple block diagram format in order to avoid unnecessarily obscuringthe present invention. Thus, the specific details set forth are merelyexemplary. Particular implementations may vary from these exemplarydetails and still be contemplated to be within the scope of the presentinvention.

In the above description, numerous details are set forth. It will beapparent, however, to one of ordinary skill in the art having thebenefit of this disclosure, that embodiments of the invention may bepracticed without these specific details. In some instances, well-knownstructures and devices are shown in block diagram form, rather than indetail, in order to avoid obscuring the description.

Some portions of the detailed description are presented in terms ofalgorithms and symbolic representations of operations on data bitswithin a computer memory. These algorithmic descriptions andrepresentations are the means used by those skilled in the dataprocessing arts to most effectively convey the substance of their workto others skilled in the art. An algorithm is here, and generally,conceived to be a self-consistent sequence of steps leading to a desiredresult. The steps are those requiring physical manipulations of physicalquantities. Usually, though not necessarily, these quantities take theform of electrical or magnetic signals capable of being stored,transferred, combined, compared, and otherwise manipulated. It hasproven convenient at times, principally for reasons of common usage, torefer to these signals as bits, values, elements, symbols, characters,terms, numbers, or the like.

It should be borne in mind, however, that all of these and similar termsare to be associated with the appropriate physical quantities and aremerely convenient labels applied to these quantities. Unlessspecifically stated otherwise as apparent from the above discussion, itis appreciated that throughout the description, discussions utilizingterms such as “determining”, “identifying”, “adding”, “selecting” or thelike, refer to the actions and processes of a computer system, orsimilar electronic computing device, that manipulates and transformsdata represented as physical (e.g., electronic) quantities within thecomputer system's registers and memories into other data similarlyrepresented as physical quantities within the computer system memoriesor registers or other such information storage, transmission or displaydevices.

Embodiments of the invention also relate to an apparatus for performingthe operations herein. This apparatus may be specially constructed forthe required purposes, or it may comprise a general purpose computerselectively activated or reconfigured by a computer program stored inthe computer. Such a computer program may be stored in a computerreadable storage medium, such as, but not limited to, any type of diskincluding floppy disks, optical disks, CD-ROMs, and magnetic-opticaldisks, read-only memories (ROMs), random access memories (RAMs), EPROMs,EEPROMs, magnetic or optical cards, or any type of media suitable forstoring electronic instructions.

The algorithms and displays presented herein are not inherently relatedto any particular computer or other apparatus. Various general purposesystems may be used with programs in accordance with the teachingsherein, or it may prove convenient to construct a more specializedapparatus to perform the required method steps. The required structurefor a variety of these systems will appear from the description below.In addition, the present invention is not described with reference toany particular programming language. It will be appreciated that avariety of programming languages may be used to implement the teachingsof the invention as described herein.

It is to be understood that the above description is intended to beillustrative, and not restrictive. Many other embodiments will beapparent to those of skill in the art upon reading and understanding theabove description. The scope of the invention should, therefore, bedetermined with reference to the appended claims, along with the fullscope of equivalents to which such claims are entitled.

What is claimed is:
 1. A method comprising: presenting an interfaceenabling an indication of one or more thresholds for a key performanceindicator (KPI), each threshold defining an end of a range of valuescorresponding to a particular state of the KPI from among a plurality ofstates: wherein the KPI is defined by a search query that produces avalue derived from machine data identified in one or more entitydefinitions, the value indicative of a measure of a service at a pointin time or during a period of time, and wherein each of the entitydefinitions represents a respective entity that performs the service andincludes an identification of machine data pertaining to the entity;receiving via the interface the indication of at least one of thethresholds for the KPI; and recording threshold information in computerstorage in association with the KPI in accordance with the receivedindication so as to condition an automatic process for determining astate of the KPI from the plurality of states based at least in part onan instance of the value produced by the search query; wherein themachine data is produced by one or more components within an informationtechnology environment and reflects activity within the informationtechnology environment; wherein the method is performed by one or moreprocessing devices coupled to the computer storage.
 2. The method ofclaim 1 further comprising: determining one of the plurality of statesof the KPI in view of the threshold information.
 3. The method of claim1 further comprising: performing the automatic process according to afrequency and/or a schedule and thereby determining one of the pluralityof states of the KPI in view of the threshold information.
 4. The methodof claim 1 further comprising: performing the automatic processaccording to a frequency and/or a schedule and thereby determining oneof the plurality of states of the KPI in view of the thresholdinformation; and wherein the machine data comprises timestamped eventseach having a segment of raw data.
 5. The method of claim 1 wherein theinterface further enables a user to indicate a name of the particularstate.
 6. The method of claim 1 wherein the interface further enables auser to indicate a visual indicator for the particular state.
 7. Themethod of claim 1 wherein the interface displays a predefined name,predefined value, and predefined visual indicator for at least one stateof the plurality of states.
 8. The method of claim 1 wherein receivingthe indication of at least one of the thresholds for the KPI comprises:causing the display of an interface element that represents theparticular state wherein the visual appearance of the interface elementis based at least in part on the received indication.
 9. The method ofclaim 1 wherein receiving the indication of at least one of thethresholds for the KPI comprises: causing the display of an interfaceelement that represents the particular state wherein the size of theinterface element is based at least in part on the received indication.10. The method of claim 1, further comprising: receiving via theinterface indications of a maximum value and a minimum value defining ascale for a widget representing the KPI.
 11. The method of claim 1wherein the interface further enables a user to indicate application ofthe at least one threshold to an aggregate KPI of the service.
 12. Themethod of claim 1 wherein the machine data comprises timestamped events.13. The method of claim 1 wherein the machine data comprises timestampedevents each having a segment of raw data.
 14. The method of claim 1wherein the machine data comprises timestamped events of an event datastore, each event having a segment of raw data and each event createdwithout regard to a definition of the service in computer storage, theservice definition associating the one or more entity definitions. 15.The method of claim 1: wherein the machine data comprises timestampedevents of an event data store, each event having a segment of raw dataand each event created without regard to a definition of the service incomputer storage, the service definition associating the one or moreentity definitions; and wherein the search query is executed by an eventprocessing system.
 16. The method of claim 1: wherein the machine datacomprises timestamped events of an event data store, each event having asegment of raw data and each event created without regard to adefinition of the service in computer storage, the service definitionassociating the one or more entity definitions; and wherein the raw datais ingested from a plurality of sources.
 17. The method of claim 1:wherein the machine data comprises timestamped events of an event datastore, each event having a segment of raw data and each event createdwithout regard to a definition of the service in computer storage, theservice definition associating the one or more entity definitions; andwherein the value produced by the search query is derived at least inpart based on an extraction rule specifying how to extract informationfrom at least one of the segments of raw data at the time of the searchquery.
 18. The method of claim 1: wherein the machine data comprisestimestamped events of an event data store, each event having a segmentof raw data and each event created without regard to a definition of theservice in computer storage, the service definition associating the oneor more entity definitions; and wherein, for at least one of theentities, the machine data pertaining to the entity comes from more thanone source.
 19. The method of claim 1: wherein the machine datacomprises timestamped events of an event data store, each event having asegment of raw data and each event created without regard to adefinition of the service in computer storage, the service definitionassociating the one or more entity definitions; and wherein, for atleast one of the entities, the machine data pertaining to the entitycomes in different formats and from more than one source.
 20. The methodof claim 1 wherein the value produced by the search query is derived inaccordance with a late-binding schema specifying how to extractinformation from the machine data at the time of the search query. 21.The method of claim 1 wherein the value produced by the search query isderived in accordance with at least one extraction rule specifying howto extract information from the machine data at the time of the searchquery.
 22. The method of claim 1 wherein the value produced by thesearch query is derived in accordance with at least one extraction rulespecifying how to extract information from a raw data segment of themachine data at the time of the search query.
 23. The method of claim 1wherein the value produced by the search query is derived in accordancewith a late-binding schema.
 24. The method of claim 1 wherein themachine data identified by the entity definition information for atleast one particular entity comes from multiple sources.
 25. The methodof claim 1 wherein the machine data identified by the entity definitioninformation for at least one particular entity comes from that entityand a different source.
 26. The method of claim 1 wherein the machinedata identified by the entity definition information for at least oneparticular entity comes from at least two sources other than the entity.27. The method of claim 1 wherein the machine data identified by theentity definition information for at least one particular entityincludes data in different formats.
 28. The method of claim 1 whereinthe machine data identified by the entity definition information for atleast one particular entity includes log data produced by that entity.29. A system comprising: a memory; and a processing device coupled withthe memory to: present an interface enabling an indication of one ormore thresholds for a key performance indicator (KPI), each thresholddefining an end of a range of values corresponding to a particular stateof the KPI from among a plurality of states: wherein the KPI is definedby a search query that produces a value derived from machine dataidentified in one or more entity definitions, the value indicative of ameasure of a service at a point in time or during a period of time, andwherein each of the entity definitions represents a respective entitythat performs the service and includes an identification of machine datapertaining to the entity; receive via the interface the indication of atleast one of the thresholds for the KPI; and record thresholdinformation in computer storage in association with the KPI inaccordance with the received indication so as to condition an automaticprocess for determining a state of the KPI from the plurality of statesbased at least in part on an instance of the value produced by thesearch query; wherein the machine data is produced by one or morecomponents within an information technology environment and reflectsactivity within the information technology environment.
 30. Anon-transitory computer readable storage medium encoding instructionsthereon that, in response to execution by one or more processingdevices, cause the processing device to perform operations comprising:presenting an interface enabling an indication of one or more thresholdsfor a key performance indicator (KPI), each threshold defining an end ofa range of values corresponding to a particular state of the KPI fromamong a plurality of states: wherein the KPI is defined by a searchquery that produces a value derived from machine data identified in oneor more entity definitions, the value indicative of a measure of aservice at a point in time or during a period of time, and wherein eachof the entity definitions represents a respective entity that performsthe service and includes an identification of machine data pertaining tothe entity; receiving via the interface the indication of at least oneof the thresholds for the KPI; and recording threshold information incomputer storage in association with the KPI in accordance with thereceived indication so as to condition an automatic process fordetermining a state of the KPI from the plurality of states based atleast in part on an instance of the value produced by the search query;wherein the machine data is produced by one or more components within aninformation technology environment and reflects activity within theinformation technology environment.